THOUGHTS.txt

@@ -1879,25 +1879,3 @@ abstraction - and we can't call it any name that nftables uses already
 Mon Jun 19 20:45:48 BST 2023
 
 why is chrony using libedit?
-
-Thu Jun 22 09:52:57 BST 2023
-
-- There is a lot more lua being installed (luac, docs, static
-  libraries etc) than we really need.
-
-- update User docs to include a list of supported  targets
-
-Thu Jun 22 23:43:06 BST 2023
-
-- is there a sysfs to enable ipv6 forwarding?
-- we haven't an ipv4 firewall yet
-
-
-PATH=`echo /nix/store/*nftables*/bin`:$PATH
-nft list ruleset
-
-Thu Jun 22 23:58:58 BST 2023
-
-Looks like we're missing at least one kernel config setting for
-nftables. Would this be a good time to do a derivation for building
-kernel modules?

examples/rotuer-firewall.nix

@@ -3,12 +3,9 @@ let
   accept = expr : "${expr} accept";
   mcast-scope = 8;
   allow-incoming = false;
-in {
   bogons-ip6 = {
     type = "filter";
     family = "ip6";
-    policy = "accept";
-    hook = "prerouting";
     rules = [
       (drop "ip6 saddr ff00::/8") # multicast saddr is illegal
 
@@ -41,6 +38,7 @@ in {
     policy = "drop";
     hook = "forward";
     rules = [
+      "jump bogons-ip6"
       (drop "ip6 saddr ::1/128") # loopback address [RFC4291]
       (drop "ip6 daddr ::1/128")
       (drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
@@ -71,7 +69,7 @@ in {
       # does this ever get used or does the preceding general udp accept
       # already grab anything that might get here?
       (accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
-      (accept "ip6 nexthdr 139") #  Host Identity Protocol
+      (accept "ip6 nexthdr hip")
 
       ## FIXME no support yet for recs 27-30 Mobility Header
 
@@ -97,28 +95,18 @@ in {
       (accept "iifname \"int\" oifname \"ppp0\" ")
     ];
   };
-  input-lan = {
-    type = "filter";
-    family = "ip6";
-
-    rules = [
-      (accept "udp dport 547") # dhcp, could restrict to daddr ff02::1:2
-      (accept "tcp dport 22")
-    ];
-  };
   input-ip6 = {
     type = "filter";
     family = "ip6";
     policy = "drop";
     hook = "input";
     rules = [
+      "jump bogons-ip6"
       (accept "meta l4proto icmpv6")
-      "iifname int jump input-lan"
       (if allow-incoming
        then accept "oifname \"int\" iifname \"ppp0\""
        else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
       )
-      # how does this even make sense in an input chain?
       (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
       (accept "iifname \"int\" oifname \"ppp0\" ")
     ];
@@ -128,8 +116,9 @@ in {
     type = "filter";
     family = "ip6";
     rules = [
-      # this is where you put permitted incoming connections
+      "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
-      # "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
     ];
   };
+in {
+  inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
 }

examples/rotuer.nix

@@ -227,49 +227,21 @@ in rec {
   };
 
   services.firewall =
-    let
+    let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
-      script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
-      kmodules = pkgs.kernel-modules.override {
-        kernelSrc  = config.outputs.kernel.src;
-        modulesupport = config.outputs.kernel.modulesupport;
-        kconfig = {
-          NFT_FIB_IPV4 = "m";
-          NFT_FIB_IPV6 = "m";
-          NF_TABLES = "m";
-          NF_CT_PROTO_DCCP = "y";
-          NF_CT_PROTO_SCTP = "y";
-          NF_CT_PROTO_UDPLITE = "y";
-          #          NF_CONNTRACK_FTP = "m";
-          NFT_CT = "m";
-        };
-        targets = [
-          "nft_fib_ipv4"
-          "nft_fib_ipv6"
-        ];
-      };
     in oneshot {
       name = "firewall";
-      up = ''
+      up = config;
-        sh ${kmodules}/load.sh
-        ${script};
-      '';
       down = "${pkgs.nftables}/bin/nft flush ruleset";
     };
 
   services.packet_forwarding =
-    let
+    let filename = "/proc/sys/net/ipv4/conf/all/forwarding";
-      ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
-      ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
     in oneshot {
       name = "let-the-ip-flow";
       up = ''
-        echo 1 > ${ip4}
+        echo 1 > ${filename}
-        echo 1 > ${ip6}
-      '';
-      down = ''
-        echo 0 > ${ip4};
-        echo 0 > ${ip6};
       '';
+      down = "echo 0 > ${filename}";
       dependencies = [ services.firewall ];
     };
 

pkgs/default.nix

@@ -54,5 +54,4 @@
   min-copy-closure = callPackage ./min-copy-closure {};
   hi = callPackage ./hi {};
   firewallgen  = callPackage ./firewallgen {};
-  kernel-modules  = callPackage ./kernel-modules {};
 }

pkgs/firewallgen/default.nix

@@ -53,7 +53,7 @@ let
       ({ family, ... } : family)
       (mapAttrsToList (n : v : v // { name = n; }) chains);
 in writeScript name ''
-#!${nftables}/sbin/nft -f
+#!${nftables}/sbin/nft -cf
 
 flush ruleset
 

pkgs/kernel-modules/Makefile

@@ -1,3 +0,0 @@
-
-
-# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o

pkgs/kernel-modules/default.nix

@@ -1,50 +0,0 @@
-{
-  stdenv
-, buildPackages
-, kernelSrc  ? null
-, modulesupport ? null
-, targets ? []
-, kconfig ? {}
-, openssl
-, writeText
-, lib
-}:
-let
-  writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
-in stdenv.mkDerivation {
-  name = "kernel-modules";
-
-  nativeBuildInputs = [buildPackages.stdenv.cc] ++
-                      (with buildPackages.pkgs; [
-                        bc bison flex
-                        openssl
-                        cpio
-                        kmod
-                      ]);
-  CC = "${stdenv.cc.bintools.targetPrefix}gcc";
-  HOST_EXTRACFLAGS = with buildPackages.pkgs;
-    "-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
-  CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
-  ARCH = "mips";  # kernel uses "mips" here for both mips and mipsel
-  KBUILD_BUILD_HOST = "liminix.builder";
-
-  buildPhase = ''
-    cat ${writeConfig "kconfig" kconfig}  > .more-config
-    cat .more-config >> .config
-    make olddefconfig
-    for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
-    # grep =m .config
-    make modules
-  '';
-  src =  modulesupport;
-  installPhase = ''
-    mkdir -p $out/lib/modules/0.0
-    find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
-    depmod -b $out -v 0.0
-    touch $out/load.sh
-    for i in ${lib.concatStringsSep " " targets}; do
-      modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
-    done
-    tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
-  '';
-}

pkgs/kernel/default.nix

@@ -8,8 +8,13 @@
  , src
  , extraPatchPhase ? "echo"
 } :
-let
+let writeConfig = name : config: writeText name
-  writeConfig = import ./write-kconfig.nix { inherit lib writeText; };
+        (builtins.concatStringsSep
+          "\n"
+          (lib.mapAttrsToList
+            (name: value: (if value == "n" then "# CONFIG_${name} is not set" else "CONFIG_${name}=${value}"))
+            config
+          ));
     kconfigFile = writeConfig "kconfig" config;
     inherit lib; in
 stdenv.mkDerivation rec {
@@ -96,8 +101,6 @@ stdenv.mkDerivation rec {
     cp vmlinux $out
     mkdir -p $headers
     cp -a include .config $headers/
-    mkdir -p $modulesupport
-    cp modules.* $modulesupport
     make clean modules_prepare
     cp -a . $modulesupport
   '';

pkgs/kernel/write-kconfig.nix

@@ -1,11 +0,0 @@
-{
-  lib
-, writeText
-}:
-name : config: writeText name
-  (builtins.concatStringsSep
-    "\n"
-    (lib.mapAttrsToList
-      (name: value: (if value == "n" then "# CONFIG_${name} is not set" else "CONFIG_${name}=${value}"))
-      config
-    ))