improve firewall log format

firewall: don't drop in conntrack rule
as there are other rules following that might want to accept
2024-02-08 17:21:26 +00:00 · 2024-02-08 17:20:39 +00:00 · 2024-02-07 23:48:10 +00:00 · 2024-02-07 23:47:38 +00:00 · 2024-02-07 23:47:09 +00:00 · 2024-02-07 23:46:16 +00:00
6 changed files with 213 additions and 51 deletions
--- a/THOUGHTS.txt
+++ b/THOUGHTS.txt
@ -3887,3 +3887,68 @@ CONFIG_PHY_MVEBU_A3700_COMPHY=y
 CONFIG_PHY_MVEBU_A38X_COMPHY=y
 CONFIG_SWPHY=y
 #
+
+Sat Jan 27 18:14:13 GMT 2024
+
+To make the recovery system (and tftpboot generally) more useful, it
+would be good to resize the root fs on boot. Need to do this before
+anything that writes to it
+
+Mon Jan 29 21:50:59 GMT 2024
+
+something is corrupted in the uncompressed rootfs
+
+
+$ head -c $(printf "%d" 0x2be0000) rootfs | sha1sum
+142571fe0436c18191727d1d4c2fd32163c1f2e1  -
+=> sha1sum 0x1000000 2be0000
+sha1 for 01000000 ... 03bdffff ==> 142571fe0436c18191727d1d4c2fd32163c1f2e1
+
+but!
+
+$  head -c $(printf "%d" 0x2bf0000) rootfs | sha1sum
+7aa004ba87c6772bade491fbade164e2dfe100f9  -
+=> sha1sum 0x1000000 2bf0000
+sha1 for 01000000 ... 03beffff ==> 1a0923a94784d0c0b86006c5e6fff1649770dad3
+
+something is trashing something in the range 03be0000 - 03beffff
+or else it's not being decompressed properly
+
+pxefile_addr_r=0x1900000
+ramdisk_addr_r=0x2200000
+    scriptaddr=0x1800000
+fdt_addr_r=0x2000000
+fdtcontroladdr=7fb19b30
+fdtfile=armada-385-turris-omnia.dtb
+     fdt_high=0x10000000
+  initrd_high=0x10000000
+kernel_addr_r=0x1000000
+              0x1700000;
+              0x10000000
+
+Sun Feb  4 11:55:00 GMT 2024
+
+restructuredtext headings:
+
+https://devguide.python.org/documentation/markup/#sections
+
+
+####### chapter (one per filename)
+*******
+=======
+-------
+
+Mon Feb  5 09:57:52 GMT 2024
+
+Before calling the Omnia "done" I'd like to get it to the point that
+I can actually use it as a CPE. This means
+
+- writing something down about how we handle static addresses
+  - hosts that need static ipv6 can configure it themselves as ::n
+    where n is a small number. this won't clash with slaac
+  - the `hosts` param to dnsmasq can specify static ipv4
+
+- dealing with port forwards and allowed incoming in the firewall
+
+- would be quite cool to run sniproxy instead of forwarding to
+  loaclhost (extra credit)
--- a/examples/demo-firewall.nix
+++ b/examples/demo-firewall.nix
@ -35,6 +35,7 @@ in {
      (drop "icmpv6 type destination-unreachable ct state invalid,untracked")
    ];
  };
+
  forward-ip6 = {
    type = "filter";
    family = "ip6";
@ -95,9 +96,12 @@ in {
      # recognised (outbound-initiated) flow
      (accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
      (accept "iifname \"int\" oifname \"ppp0\" ")
+
+      "log prefix \"DENIED CHAIN=forward-ip6 \""
    ];
  };
-  input-lan = {
+
+  input-ip6-lan = {
    type = "filter";
    family = "ip6";

@ -107,7 +111,7 @@ in {
    ];
  };

-  input-wan = {
+  input-ip6-wan = {
    type = "filter";
    family = "ip6";

@ -123,8 +127,8 @@ in {
    hook = "input";
    rules = [
      (accept "meta l4proto icmpv6")
-      "iifname int jump input-lan"
-      "iifname ppp0 jump input-wan"
+      "iifname int jump input-ip6-lan"
+      "iifname ppp0 jump input-ip6-wan"
      (if allow-incoming
       then accept "oifname \"int\" iifname \"ppp0\""
       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
@ -132,6 +136,7 @@ in {
      # how does this even make sense in an input chain?
      (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
      (accept "iifname \"int\" oifname \"ppp0\" ")
+      "log prefix \"DENIED CHAIN=input-ip6 \""
    ];
  };

@ -154,6 +159,7 @@ in {
      "oifname \"ppp0\" masquerade"
    ];
  };
+
  nat-rx = {
    type = "nat";
    hook = "prerouting";
@ -167,4 +173,66 @@ in {
      # packet replies. "
    ];
  };
+
+  # these chains are for rules that have to be present for things to
+  # basically work at all: for example, the router won't issue DHCP
+  # unless it's allowed to receive DHCP requests. For "site policy"
+  # rules you may prefer to use incoming-allowed-ip[46] instead
+
+  input-ip4-lan = {
+    type = "filter";
+    family = "ip";
+
+    rules = [
+      (accept "udp dport 547")
+      (accept "tcp dport 22")
+    ];
+  };
+
+  input-ip4-wan = {
+    type = "filter";
+    family = "ip";
+
+    rules = [
+    ];
+  };
+
+  input-ip4 = {
+    type = "filter";
+    family = "ip";
+    policy = "drop";
+    hook = "input";
+    rules = [
+      "iifname lo accept"
+      "iifname int jump input-ip4-lan"
+      "iifname ppp0 jump input-ip4-wan"
+      "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
+      "ct state vmap established,related accept"
+      "log prefix \"DENIED CHAIN=input-ip4 \""
+    ];
+  };
+
+  forward-ip4 = {
+    type = "filter";
+    family = "ip";
+    policy = "drop";
+    hook = "forward";
+    rules = [
+      "iifname \"int\" accept"
+      "ct state vmap { established : accept, related : accept, invalid : drop }"
+      "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
+      "log prefix \"DENIED CHAIN=forward-ip4 \""
+    ];
+  };
+
+  incoming-allowed-ip4 = {
+    type = "filter";
+    family = "ip";
+    rules = [
+      # this is where you put permitted incoming
+      # connections. Practically there's not a lot of use for this
+      # chain unless you have routable ipv4 addresses
+    ];
+  };
+
 }
--- a/examples/rotuer-secrets.example.nix
+++ b/examples/rotuer-secrets.example.nix
@ -11,4 +11,8 @@ rec {
    ];
  };
  root_password = root.passwd;
+  lan = {
+    prefix = "10.8.0"; # "192.168.8";
+  };
+
 }
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -42,6 +42,7 @@ in rec {
    ../modules/hostapd
    ../modules/bridge
    ../modules/ntp
+    ../modules/schnapps
    ../modules/ssh
    ../modules/outputs/btrfs.nix
    ../modules/outputs/extlinux.nix
@ -76,7 +77,7 @@ in rec {

  services.int = svc.network.address.build {
    interface = svc.bridge.primary.build { ifname = "int"; };
-    family = "inet"; address ="10.8.0.1"; prefixLength = 16;
+    family = "inet"; address ="${secrets.lan.prefix}.1"; prefixLength = 24;
  };

  services.bridge =  svc.bridge.members.build {
@ -84,7 +85,12 @@ in rec {
    members = with config.hardware.networkInterfaces;
      [ wlan
        wlan5
-        lan ];
+        lan0
+        lan1
+        lan2
+        lan3
+        lan4
+      ];
  };

  services.ntp = svc.ntp.build {
@ -102,7 +108,7 @@ in rec {
      resolvconf = services.resolvconf;
      inherit interface;
      ranges = [
-        "10.8.0.10,10.8.0.240"
+        "${secrets.lan.prefix}.10,${secrets.lan.prefix}.240"
        # ra-stateless: sends router advertisements with the O and A
        # bits set, and provides a stateless DHCP service. The client
        # will use a SLAAC address, and use DHCP for other
@ -160,7 +166,9 @@ in rec {
  };

  services.firewall = svc.firewall.build {
-    ruleset = import ./demo-firewall.nix;
+    ruleset =
+      let defaults = import ./demo-firewall.nix;
+      in lib.recursiveUpdate defaults secrets.firewallRules;
  };

  services.packet_forwarding = svc.network.forward.build { };
--- a/modules/firewall/default.nix
+++ b/modules/firewall/default.nix
@ -16,14 +16,35 @@ let
    # even supposed to work?" questions
    let yes = if isModule then "m" else "y";
    in {
+      NETFILTER = "y";
+      NETFILTER_ADVANCED = "y";
+      NETFILTER_NETLINK = yes;
+      NF_CONNTRACK = yes;
+
+      IP6_NF_IPTABLES=  yes;
+      IP_NF_IPTABLES = yes;
+      IP_NF_NAT = yes;
+      IP_NF_TARGET_MASQUERADE = yes;
+
+      NFT_CT = yes;
      NFT_FIB_IPV4 = yes;
      NFT_FIB_IPV6 = yes;
-      NF_TABLES = yes;
+      NFT_LOG = yes;
+      NFT_MASQ = yes;
+      NFT_NAT = yes;
+      NFT_REJECT = yes;
+      NFT_REJECT_INET = yes;
+
      NF_CT_PROTO_DCCP = "y";
      NF_CT_PROTO_SCTP = "y";
      NF_CT_PROTO_UDPLITE = "y";
-      # NF_CONNTRACK_FTP = yes;
-      NFT_CT = yes;
+      NF_LOG_SYSLOG = yes;
+      NF_NAT = yes;
+      NF_NAT_MASQUERADE = "y";
+      NF_TABLES = yes;
+      NF_TABLES_INET = "y";
+      NF_TABLES_IPV4 = "y";
+      NF_TABLES_IPV6 = "y";
    };
  kmodules = pkgs.kernel-modules.override {
    kernelSrc = config.system.outputs.kernel.src;
@ -31,6 +52,35 @@ let
    targets = [
      "nft_fib_ipv4"
      "nft_fib_ipv6"
+      "nf_log_syslog"
+
+      "ip6_tables"
+      "ip_tables"
+      "iptable_nat"
+      "nf_conntrack"
+      "nf_defrag_ipv4"
+      "nf_defrag_ipv6"
+      "nf_log_syslog"
+      "nf_nat"
+      "nf_reject_ipv4"
+      "nf_reject_ipv6"
+      "nf_tables"
+      "nft_chain_nat"
+      "nft_ct"
+      "nft_fib"
+      "nft_fib_ipv4"
+      "nft_fib_ipv6"
+      "nft_log"
+      "nft_masq"
+      "nft_nat"
+      "nft_reject"
+      "nft_reject_inet"
+      "nft_reject_ipv4"
+      "nft_reject_ipv6"
+      "x_tables"
+      "xt_MASQUERADE"
+      "xt_nat"
+      "xt_tcpudp"
    ];
    kconfig = kconf true;
  };
@ -55,41 +105,13 @@ in
            };
          };
      in svc // {
-        build = args : (svc.build args) // {
-          dependencies = [ loadModules ] ++ (svc.dependencies or []);
-        };
+        build = args :
+          let args' = args // {
+                dependencies = (args.dependencies or []) ++ [loadModules];
+              };
+          in svc.build args' ;
      };

-    # For historical reasons the kernel config is split between
-    # monolithic options and modules. TODO: go through this list
-    # and see what can be moved into the "kconf" definiton above
-    kernel.config = {
-      NETFILTER_XT_MATCH_CONNTRACK = "y";
-
-      IP6_NF_IPTABLES= "y";
-      IP_NF_IPTABLES= "y";
-
-      IP_NF_NAT = "y";
-      IP_NF_TARGET_MASQUERADE = "y";
-      NETFILTER = "y";
-      NETFILTER_ADVANCED = "y";
-      NETFILTER_XTABLES = "y";
-
-      NFT_COMPAT = "y";
-      NFT_CT = "y";
-      NFT_LOG = "y";
-      NFT_MASQ = "y";
-      NFT_NAT = "y";
-      NFT_REJECT = "y";
-      NFT_REJECT_INET = "y";
-
-      NF_CONNTRACK = "y";
-      NF_NAT = "y";
-      NF_NAT_MASQUERADE  = "y";
-      NF_TABLES= "y";
-      NF_TABLES_INET = "y";
-      NF_TABLES_IPV4 = "y";
-      NF_TABLES_IPV6 = "y";
-    };
+    kernel.config = kconf true;
  };
 }
--- a/pkgs/kernel-modules/default.nix
+++ b/pkgs/kernel-modules/default.nix
@ -11,11 +11,7 @@
 }:
 let
  writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
-  arch = if stdenv.isMips
-         then "mips"
-         else if stdenv.isAarch64
-         then "arm64"
-         else throw "unknown arch";
+  arch = stdenv.hostPlatform.linuxArch;
 in stdenv.mkDerivation {
  name = "kernel-modules";

@ -38,7 +34,6 @@ in stdenv.mkDerivation {
    cat .more-config >> .config
    make olddefconfig
    for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
-    # grep =m .config
    make modules
  '';
  src =  modulesupport;
Author	SHA1	Message	Date
Daniel Barlow	87f6a31a06	improve firewall log format	2024-02-08 17:21:26 +00:00
Daniel Barlow	a9ea01428e	firewall: don't drop in conntrack rule as there are other rules following that might want to accept	2024-02-08 17:20:39 +00:00
Daniel Barlow	92b0bec038	rotuer: add schnapps and the rest of the lan interfaces	2024-02-07 23:48:10 +00:00
Daniel Barlow	82537bbe68	delete commented-out code	2024-02-07 23:47:38 +00:00
Daniel Barlow	efb29c5901	demo-firewall: add some rules for ipv4	2024-02-07 23:47:09 +00:00
Daniel Barlow	29e61be26c	rotuer: get lan rfc1918 prefix from secrets	2024-02-07 23:46:16 +00:00
Daniel Barlow	6f1f9d6f20	firewall: fix module loading	2024-02-07 23:43:41 +00:00
Daniel Barlow	34291292c0	fix dependency on kernel moduels in firewall service	2024-02-07 16:21:14 +00:00
Daniel Barlow	c9e4c1b0da	kernel-modules: use linuxArch instead of case expression	2024-02-07 16:20:34 +00:00
Daniel Barlow	891d6e5f20	thenk	2024-02-05 19:20:13 +00:00