Compare commits
No commits in common. "b002a94e07a8165286aa7ee4571c296b2bf8d0fc" and "ce207e47636eb4de8bf7474537912c45ec20b071" have entirely different histories.
b002a94e07
...
ce207e4763
@ -12,7 +12,7 @@
|
|||||||
config = "mips-unknown-linux-musl";
|
config = "mips-unknown-linux-musl";
|
||||||
gcc = {
|
gcc = {
|
||||||
abi = "32";
|
abi = "32";
|
||||||
arch = "24kc"; # maybe mips_24kc-
|
arch = "mips32"; # maybe mips_24kc-
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@ -1,124 +0,0 @@
|
|||||||
let
|
|
||||||
drop = expr : "${expr} drop";
|
|
||||||
accept = expr : "${expr} accept";
|
|
||||||
mcast-scope = 8;
|
|
||||||
allow-incoming = false;
|
|
||||||
bogons-ip6 = {
|
|
||||||
type = "filter";
|
|
||||||
family = "ip6";
|
|
||||||
rules = [
|
|
||||||
(drop "ip6 saddr ff00::/8") # multicast saddr is illegal
|
|
||||||
|
|
||||||
(drop "ip6 saddr ::/128") # unspecified address
|
|
||||||
(drop "ip6 daddr ::/128")
|
|
||||||
(drop "ip6 saddr 2001:db8::/32") # documentation addresses
|
|
||||||
(drop "ip6 daddr 2001:db8::/32")
|
|
||||||
|
|
||||||
# I think this means "check FIB for (saddr, iif) to see if we
|
|
||||||
# could route a packet to that address using that interface",
|
|
||||||
# and if we can't then it was an inapproppriate source address
|
|
||||||
# for packets received _from_ said interface
|
|
||||||
(drop "fib saddr . iif oif eq 0")
|
|
||||||
|
|
||||||
(drop "icmpv6 type router-renumbering")
|
|
||||||
(drop "icmpv6 type 139") # Node Information Query
|
|
||||||
(drop "icmpv6 type 140") # Node Information Response
|
|
||||||
(drop "icmpv6 type 100")
|
|
||||||
(drop "icmpv6 type 101")
|
|
||||||
(drop "icmpv6 type 200")
|
|
||||||
(drop "icmpv6 type 201")
|
|
||||||
(drop "icmpv6 type 127")
|
|
||||||
(drop "icmpv6 type 255")
|
|
||||||
(drop "icmpv6 type destination-unreachable ct state invalid,untracked")
|
|
||||||
];
|
|
||||||
};
|
|
||||||
forward-ip6 = {
|
|
||||||
type = "filter";
|
|
||||||
family = "ip6";
|
|
||||||
policy = "drop";
|
|
||||||
hook = "forward";
|
|
||||||
rules = [
|
|
||||||
"jump bogons-ip6"
|
|
||||||
(drop "ip6 saddr ::1/128") # loopback address [RFC4291]
|
|
||||||
(drop "ip6 daddr ::1/128")
|
|
||||||
(drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
|
|
||||||
(drop "ip6 daddr ::FFFF:0:0/96")
|
|
||||||
(drop "ip6 saddr fe80::/10") # link-local unicast
|
|
||||||
(drop "ip6 daddr fe80::/10")
|
|
||||||
(drop "ip6 saddr fc00::/7") # unique-local addresses
|
|
||||||
(drop "ip6 daddr fc00::/7")
|
|
||||||
(drop "ip6 saddr 2001:10::/28") # ORCHID [RFC4843].
|
|
||||||
(drop "ip6 daddr 2001:10::/28")
|
|
||||||
|
|
||||||
(drop "ip6 saddr fc00::/7") # unique local source
|
|
||||||
(drop "ip6 daddr fc00::/7") # and/or dst addresses [RFC4193]
|
|
||||||
|
|
||||||
# multicast with wrong scopes
|
|
||||||
(drop
|
|
||||||
# dest addr first byte 0xff, low nibble of second byte <= scope
|
|
||||||
# https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
|
|
||||||
"@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}")
|
|
||||||
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related")
|
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp")
|
|
||||||
|
|
||||||
(accept "meta l4proto icmpv6")
|
|
||||||
(accept "meta l4proto ah")
|
|
||||||
(accept "meta l4proto esp")
|
|
||||||
|
|
||||||
# does this ever get used or does the preceding general udp accept
|
|
||||||
# already grab anything that might get here?
|
|
||||||
(accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
|
|
||||||
(accept "ip6 nexthdr hip")
|
|
||||||
|
|
||||||
## FIXME no support yet for recs 27-30 Mobility Header
|
|
||||||
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto tcp ct state established,related")
|
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto tcp")
|
|
||||||
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto sctp ct state established,related")
|
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto sctp")
|
|
||||||
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto dccp ct state established,related")
|
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto dccp")
|
|
||||||
|
|
||||||
# we can allow all reasonable inbound, or we can use an explicit
|
|
||||||
# allowlist to enumerate the endpoints that are allowed to
|
|
||||||
# accept inbound from the WAN
|
|
||||||
(if allow-incoming
|
|
||||||
then accept "oifname \"int\" iifname \"ppp0\""
|
|
||||||
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
|
||||||
)
|
|
||||||
# allow all outbound and any inbound that's part of a
|
|
||||||
# recognised (outbound-initiated) flow
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
|
||||||
];
|
|
||||||
};
|
|
||||||
input-ip6 = {
|
|
||||||
type = "filter";
|
|
||||||
family = "ip6";
|
|
||||||
policy = "drop";
|
|
||||||
hook = "input";
|
|
||||||
rules = [
|
|
||||||
"jump bogons-ip6"
|
|
||||||
(accept "meta l4proto icmpv6")
|
|
||||||
(if allow-incoming
|
|
||||||
then accept "oifname \"int\" iifname \"ppp0\""
|
|
||||||
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
|
||||||
)
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
incoming-allowed-ip6 = {
|
|
||||||
type = "filter";
|
|
||||||
family = "ip6";
|
|
||||||
rules = [
|
|
||||||
"oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
|
|
||||||
}
|
|
||||||
@ -226,23 +226,15 @@ in rec {
|
|||||||
dependencies = [ services.wan ];
|
dependencies = [ services.wan ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.firewall =
|
|
||||||
let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
|
|
||||||
in oneshot {
|
|
||||||
name = "firewall";
|
|
||||||
up = config;
|
|
||||||
down = "${pkgs.nftables}/bin/nft flush ruleset";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.packet_forwarding =
|
services.packet_forwarding =
|
||||||
let filename = "/proc/sys/net/ipv4/conf/all/forwarding";
|
let filename = "/proc/sys/net/ipv4/conf/all/forwarding";
|
||||||
in oneshot {
|
in oneshot {
|
||||||
name = "let-the-ip-flow";
|
name = "let-the-ip-flow";
|
||||||
up = ''
|
up = ''
|
||||||
|
${pkgs.nftables}/bin/nft -f ${../nat.nft}
|
||||||
echo 1 > ${filename}
|
echo 1 > ${filename}
|
||||||
'';
|
'';
|
||||||
down = "echo 0 > ${filename}";
|
down = "echo 0 > ${filename}";
|
||||||
dependencies = [ services.firewall ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.dhcp6 =
|
services.dhcp6 =
|
||||||
@ -288,7 +280,5 @@ in rec {
|
|||||||
acquire-lan-prefix
|
acquire-lan-prefix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
defaultProfile.packages = with pkgs; [
|
defaultProfile.packages = with pkgs; [min-collect-garbage nftables tcpdump] ;
|
||||||
min-collect-garbage
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|||||||
67
overlay.nix
67
overlay.nix
@ -47,6 +47,8 @@ extraPkgs // {
|
|||||||
];
|
];
|
||||||
});
|
});
|
||||||
|
|
||||||
|
# openssl is reqired by ntp
|
||||||
|
|
||||||
rsyncSmall = prev.rsync.overrideAttrs(o: {
|
rsyncSmall = prev.rsync.overrideAttrs(o: {
|
||||||
configureFlags = o.configureFlags ++ [
|
configureFlags = o.configureFlags ++ [
|
||||||
"--disable-openssl"
|
"--disable-openssl"
|
||||||
@ -66,15 +68,31 @@ extraPkgs // {
|
|||||||
nss = null;
|
nss = null;
|
||||||
nspr = null;
|
nspr = null;
|
||||||
readline = null;
|
readline = null;
|
||||||
libedit = null;
|
|
||||||
libcap = null;
|
|
||||||
libseccomp = null;
|
libseccomp = null;
|
||||||
# should texinfo be in nativeBuildInputs instead of
|
|
||||||
# buildInputs?
|
|
||||||
texinfo = null;
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ntp =
|
||||||
|
let
|
||||||
|
openssl = prev.openssl.overrideAttrs(o: {
|
||||||
|
preInstall = ''
|
||||||
|
find . -name libcrypto.so.3 -ls
|
||||||
|
$STRIP lib*.so.*
|
||||||
|
'';
|
||||||
|
});
|
||||||
|
ntp_ = prev.ntp.overrideAttrs(o: {
|
||||||
|
outputs = [
|
||||||
|
"out"
|
||||||
|
"man"
|
||||||
|
"perllib"
|
||||||
|
"doc"
|
||||||
|
];
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $perllib
|
||||||
|
moveToOutput "share/ntp" $perllib
|
||||||
|
'';
|
||||||
|
});
|
||||||
|
in ntp_.override { inherit openssl; };
|
||||||
|
|
||||||
strace = prev.strace.override { libunwind = null; };
|
strace = prev.strace.override { libunwind = null; };
|
||||||
|
|
||||||
kexec-tools-static = prev.kexec-tools.overrideAttrs(o: {
|
kexec-tools-static = prev.kexec-tools.overrideAttrs(o: {
|
||||||
@ -166,4 +184,41 @@ extraPkgs // {
|
|||||||
});
|
});
|
||||||
|
|
||||||
pppBuild = prev.ppp;
|
pppBuild = prev.ppp;
|
||||||
|
pppOld =
|
||||||
|
(prev.ppp.override {
|
||||||
|
libpcap = null;
|
||||||
|
}).overrideAttrs (o : {
|
||||||
|
stripAllList = [ "bin" ];
|
||||||
|
buildInputs = [];
|
||||||
|
|
||||||
|
# patches =
|
||||||
|
# o.patches ++
|
||||||
|
# [(final.fetchpatch {
|
||||||
|
# name = "ipv6-script-options.patch";
|
||||||
|
# url = "https://github.com/ppp-project/ppp/commit/874c2a4a9684bf6938643c7fa5ff1dd1cf80aea4.patch";
|
||||||
|
# sha256 = "sha256-K46CKpDpm1ouj6jFtDs9IUMHzlRMRP+rMPbMovLy3o4=";
|
||||||
|
# })];
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
sed -i -e 's@_PATH_VARRUN@"/run/"@' pppd/main.c
|
||||||
|
sed -i -e 's@^FILTER=y@# FILTER unset@' pppd/Makefile.linux
|
||||||
|
sed -i -e 's/-DIPX_CHANGE/-UIPX_CHANGE/g' pppd/Makefile.linux
|
||||||
|
'';
|
||||||
|
buildPhase = ''
|
||||||
|
runHook preBuild
|
||||||
|
make -C pppd CC=$CC USE_TDB= HAVE_MULTILINK= USE_EAPTLS= USE_CRYPT=y
|
||||||
|
make -C pppd/plugins/pppoe CC=$CC
|
||||||
|
make -C pppd/plugins/pppol2tp CC=$CC
|
||||||
|
runHook postBuild;
|
||||||
|
'';
|
||||||
|
installPhase = ''
|
||||||
|
runHook preInstall
|
||||||
|
mkdir -p $out/bin $out/lib/pppd/2.4.9
|
||||||
|
cp pppd/pppd pppd/plugins/pppoe/pppoe-discovery $out/bin
|
||||||
|
cp pppd/plugins/pppoe/pppoe.so $out/lib/pppd/2.4.9
|
||||||
|
cp pppd/plugins/pppol2tp/{open,pppo}l2tp.so $out/lib/pppd/2.4.9
|
||||||
|
runHook postInstall
|
||||||
|
'';
|
||||||
|
postFixup = "";
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,30 +2,20 @@
|
|||||||
runCommand
|
runCommand
|
||||||
, luaSmall
|
, luaSmall
|
||||||
, runtimeShell
|
, runtimeShell
|
||||||
, fetchurl
|
|
||||||
, lib
|
, lib
|
||||||
, lua53Packages
|
|
||||||
}:
|
}:
|
||||||
let inherit (lua53Packages) lua;
|
let lua = luaSmall;
|
||||||
in name : packages : source :
|
in name : packages : source :
|
||||||
let
|
let
|
||||||
fennel = fetchurl {
|
luapath = builtins.map (f: "${f}/share/lua/${lua.luaversion}/?.lua;") packages;
|
||||||
url = "https://fennel-lang.org/downloads/fennel-1.3.0";
|
luacpath = builtins.map (f: "${f}/lib/lua/${lua.luaversion}/?.so;") packages;
|
||||||
hash = "sha256-hYSD3rBYF8iTjBOA1m+TvUu8BSp8q6uIMUXi0xwo/dU=";
|
in runCommand name {} ''
|
||||||
};
|
|
||||||
|
|
||||||
luapath = builtins.map (f: "${f}/share/lua/${luaSmall.luaversion}/?.lua;") packages;
|
|
||||||
luacpath = builtins.map (f: "${f}/lib/lua/${luaSmall.luaversion}/?.so;") packages;
|
|
||||||
in runCommand name {
|
|
||||||
nativeBuildInputs = [ lua ];
|
|
||||||
} ''
|
|
||||||
echo $PATH
|
|
||||||
#!${runtimeShell}
|
#!${runtimeShell}
|
||||||
(
|
(
|
||||||
echo "#!${luaSmall}/bin/lua"
|
echo "#!${lua}/bin/lua"
|
||||||
echo "package.path = ${lib.strings.escapeShellArg luapath} .. package.path"
|
echo "package.path = ${lib.strings.escapeShellArg luapath} .. package.path"
|
||||||
echo "package.cpath = ${lib.strings.escapeShellArg luacpath} .. package.cpath"
|
echo "package.cpath = ${lib.strings.escapeShellArg luacpath} .. package.cpath"
|
||||||
lua ${fennel} --correlate --compile ${source}
|
${lua.pkgs.fennel}/bin/fennel --correlate --compile ${source}
|
||||||
) > $out
|
) > $out
|
||||||
chmod a+x $out
|
chmod a+x $out
|
||||||
''
|
''
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user