Compare commits
10 Commits
c4041b00f6
...
87f6a31a06
Author | SHA1 | Date |
---|---|---|
Daniel Barlow | 87f6a31a06 | |
Daniel Barlow | a9ea01428e | |
Daniel Barlow | 92b0bec038 | |
Daniel Barlow | 82537bbe68 | |
Daniel Barlow | efb29c5901 | |
Daniel Barlow | 29e61be26c | |
Daniel Barlow | 6f1f9d6f20 | |
Daniel Barlow | 34291292c0 | |
Daniel Barlow | c9e4c1b0da | |
Daniel Barlow | 891d6e5f20 |
65
THOUGHTS.txt
65
THOUGHTS.txt
|
@ -3887,3 +3887,68 @@ CONFIG_PHY_MVEBU_A3700_COMPHY=y
|
|||
CONFIG_PHY_MVEBU_A38X_COMPHY=y
|
||||
CONFIG_SWPHY=y
|
||||
#
|
||||
|
||||
Sat Jan 27 18:14:13 GMT 2024
|
||||
|
||||
To make the recovery system (and tftpboot generally) more useful, it
|
||||
would be good to resize the root fs on boot. Need to do this before
|
||||
anything that writes to it
|
||||
|
||||
Mon Jan 29 21:50:59 GMT 2024
|
||||
|
||||
something is corrupted in the uncompressed rootfs
|
||||
|
||||
|
||||
$ head -c $(printf "%d" 0x2be0000) rootfs | sha1sum
|
||||
142571fe0436c18191727d1d4c2fd32163c1f2e1 -
|
||||
=> sha1sum 0x1000000 2be0000
|
||||
sha1 for 01000000 ... 03bdffff ==> 142571fe0436c18191727d1d4c2fd32163c1f2e1
|
||||
|
||||
but!
|
||||
|
||||
$ head -c $(printf "%d" 0x2bf0000) rootfs | sha1sum
|
||||
7aa004ba87c6772bade491fbade164e2dfe100f9 -
|
||||
=> sha1sum 0x1000000 2bf0000
|
||||
sha1 for 01000000 ... 03beffff ==> 1a0923a94784d0c0b86006c5e6fff1649770dad3
|
||||
|
||||
something is trashing something in the range 03be0000 - 03beffff
|
||||
or else it's not being decompressed properly
|
||||
|
||||
pxefile_addr_r=0x1900000
|
||||
ramdisk_addr_r=0x2200000
|
||||
scriptaddr=0x1800000
|
||||
fdt_addr_r=0x2000000
|
||||
fdtcontroladdr=7fb19b30
|
||||
fdtfile=armada-385-turris-omnia.dtb
|
||||
fdt_high=0x10000000
|
||||
initrd_high=0x10000000
|
||||
kernel_addr_r=0x1000000
|
||||
0x1700000;
|
||||
0x10000000
|
||||
|
||||
Sun Feb 4 11:55:00 GMT 2024
|
||||
|
||||
restructuredtext headings:
|
||||
|
||||
https://devguide.python.org/documentation/markup/#sections
|
||||
|
||||
|
||||
####### chapter (one per filename)
|
||||
*******
|
||||
=======
|
||||
-------
|
||||
|
||||
Mon Feb 5 09:57:52 GMT 2024
|
||||
|
||||
Before calling the Omnia "done" I'd like to get it to the point that
|
||||
I can actually use it as a CPE. This means
|
||||
|
||||
- writing something down about how we handle static addresses
|
||||
- hosts that need static ipv6 can configure it themselves as ::n
|
||||
where n is a small number. this won't clash with slaac
|
||||
- the `hosts` param to dnsmasq can specify static ipv4
|
||||
|
||||
- dealing with port forwards and allowed incoming in the firewall
|
||||
|
||||
- would be quite cool to run sniproxy instead of forwarding to
|
||||
loaclhost (extra credit)
|
||||
|
|
|
@ -35,6 +35,7 @@ in {
|
|||
(drop "icmpv6 type destination-unreachable ct state invalid,untracked")
|
||||
];
|
||||
};
|
||||
|
||||
forward-ip6 = {
|
||||
type = "filter";
|
||||
family = "ip6";
|
||||
|
@ -95,9 +96,12 @@ in {
|
|||
# recognised (outbound-initiated) flow
|
||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||
|
||||
"log prefix \"DENIED CHAIN=forward-ip6 \""
|
||||
];
|
||||
};
|
||||
input-lan = {
|
||||
|
||||
input-ip6-lan = {
|
||||
type = "filter";
|
||||
family = "ip6";
|
||||
|
||||
|
@ -107,7 +111,7 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
input-wan = {
|
||||
input-ip6-wan = {
|
||||
type = "filter";
|
||||
family = "ip6";
|
||||
|
||||
|
@ -123,8 +127,8 @@ in {
|
|||
hook = "input";
|
||||
rules = [
|
||||
(accept "meta l4proto icmpv6")
|
||||
"iifname int jump input-lan"
|
||||
"iifname ppp0 jump input-wan"
|
||||
"iifname int jump input-ip6-lan"
|
||||
"iifname ppp0 jump input-ip6-wan"
|
||||
(if allow-incoming
|
||||
then accept "oifname \"int\" iifname \"ppp0\""
|
||||
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
||||
|
@ -132,6 +136,7 @@ in {
|
|||
# how does this even make sense in an input chain?
|
||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||
"log prefix \"DENIED CHAIN=input-ip6 \""
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -154,6 +159,7 @@ in {
|
|||
"oifname \"ppp0\" masquerade"
|
||||
];
|
||||
};
|
||||
|
||||
nat-rx = {
|
||||
type = "nat";
|
||||
hook = "prerouting";
|
||||
|
@ -167,4 +173,66 @@ in {
|
|||
# packet replies. "
|
||||
];
|
||||
};
|
||||
|
||||
# these chains are for rules that have to be present for things to
|
||||
# basically work at all: for example, the router won't issue DHCP
|
||||
# unless it's allowed to receive DHCP requests. For "site policy"
|
||||
# rules you may prefer to use incoming-allowed-ip[46] instead
|
||||
|
||||
input-ip4-lan = {
|
||||
type = "filter";
|
||||
family = "ip";
|
||||
|
||||
rules = [
|
||||
(accept "udp dport 547")
|
||||
(accept "tcp dport 22")
|
||||
];
|
||||
};
|
||||
|
||||
input-ip4-wan = {
|
||||
type = "filter";
|
||||
family = "ip";
|
||||
|
||||
rules = [
|
||||
];
|
||||
};
|
||||
|
||||
input-ip4 = {
|
||||
type = "filter";
|
||||
family = "ip";
|
||||
policy = "drop";
|
||||
hook = "input";
|
||||
rules = [
|
||||
"iifname lo accept"
|
||||
"iifname int jump input-ip4-lan"
|
||||
"iifname ppp0 jump input-ip4-wan"
|
||||
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
|
||||
"ct state vmap established,related accept"
|
||||
"log prefix \"DENIED CHAIN=input-ip4 \""
|
||||
];
|
||||
};
|
||||
|
||||
forward-ip4 = {
|
||||
type = "filter";
|
||||
family = "ip";
|
||||
policy = "drop";
|
||||
hook = "forward";
|
||||
rules = [
|
||||
"iifname \"int\" accept"
|
||||
"ct state vmap { established : accept, related : accept, invalid : drop }"
|
||||
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
|
||||
"log prefix \"DENIED CHAIN=forward-ip4 \""
|
||||
];
|
||||
};
|
||||
|
||||
incoming-allowed-ip4 = {
|
||||
type = "filter";
|
||||
family = "ip";
|
||||
rules = [
|
||||
# this is where you put permitted incoming
|
||||
# connections. Practically there's not a lot of use for this
|
||||
# chain unless you have routable ipv4 addresses
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -11,4 +11,8 @@ rec {
|
|||
];
|
||||
};
|
||||
root_password = root.passwd;
|
||||
lan = {
|
||||
prefix = "10.8.0"; # "192.168.8";
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -42,6 +42,7 @@ in rec {
|
|||
../modules/hostapd
|
||||
../modules/bridge
|
||||
../modules/ntp
|
||||
../modules/schnapps
|
||||
../modules/ssh
|
||||
../modules/outputs/btrfs.nix
|
||||
../modules/outputs/extlinux.nix
|
||||
|
@ -76,7 +77,7 @@ in rec {
|
|||
|
||||
services.int = svc.network.address.build {
|
||||
interface = svc.bridge.primary.build { ifname = "int"; };
|
||||
family = "inet"; address ="10.8.0.1"; prefixLength = 16;
|
||||
family = "inet"; address ="${secrets.lan.prefix}.1"; prefixLength = 24;
|
||||
};
|
||||
|
||||
services.bridge = svc.bridge.members.build {
|
||||
|
@ -84,7 +85,12 @@ in rec {
|
|||
members = with config.hardware.networkInterfaces;
|
||||
[ wlan
|
||||
wlan5
|
||||
lan ];
|
||||
lan0
|
||||
lan1
|
||||
lan2
|
||||
lan3
|
||||
lan4
|
||||
];
|
||||
};
|
||||
|
||||
services.ntp = svc.ntp.build {
|
||||
|
@ -102,7 +108,7 @@ in rec {
|
|||
resolvconf = services.resolvconf;
|
||||
inherit interface;
|
||||
ranges = [
|
||||
"10.8.0.10,10.8.0.240"
|
||||
"${secrets.lan.prefix}.10,${secrets.lan.prefix}.240"
|
||||
# ra-stateless: sends router advertisements with the O and A
|
||||
# bits set, and provides a stateless DHCP service. The client
|
||||
# will use a SLAAC address, and use DHCP for other
|
||||
|
@ -160,7 +166,9 @@ in rec {
|
|||
};
|
||||
|
||||
services.firewall = svc.firewall.build {
|
||||
ruleset = import ./demo-firewall.nix;
|
||||
ruleset =
|
||||
let defaults = import ./demo-firewall.nix;
|
||||
in lib.recursiveUpdate defaults secrets.firewallRules;
|
||||
};
|
||||
|
||||
services.packet_forwarding = svc.network.forward.build { };
|
||||
|
|
|
@ -16,14 +16,35 @@ let
|
|||
# even supposed to work?" questions
|
||||
let yes = if isModule then "m" else "y";
|
||||
in {
|
||||
NETFILTER = "y";
|
||||
NETFILTER_ADVANCED = "y";
|
||||
NETFILTER_NETLINK = yes;
|
||||
NF_CONNTRACK = yes;
|
||||
|
||||
IP6_NF_IPTABLES= yes;
|
||||
IP_NF_IPTABLES = yes;
|
||||
IP_NF_NAT = yes;
|
||||
IP_NF_TARGET_MASQUERADE = yes;
|
||||
|
||||
NFT_CT = yes;
|
||||
NFT_FIB_IPV4 = yes;
|
||||
NFT_FIB_IPV6 = yes;
|
||||
NF_TABLES = yes;
|
||||
NFT_LOG = yes;
|
||||
NFT_MASQ = yes;
|
||||
NFT_NAT = yes;
|
||||
NFT_REJECT = yes;
|
||||
NFT_REJECT_INET = yes;
|
||||
|
||||
NF_CT_PROTO_DCCP = "y";
|
||||
NF_CT_PROTO_SCTP = "y";
|
||||
NF_CT_PROTO_UDPLITE = "y";
|
||||
# NF_CONNTRACK_FTP = yes;
|
||||
NFT_CT = yes;
|
||||
NF_LOG_SYSLOG = yes;
|
||||
NF_NAT = yes;
|
||||
NF_NAT_MASQUERADE = "y";
|
||||
NF_TABLES = yes;
|
||||
NF_TABLES_INET = "y";
|
||||
NF_TABLES_IPV4 = "y";
|
||||
NF_TABLES_IPV6 = "y";
|
||||
};
|
||||
kmodules = pkgs.kernel-modules.override {
|
||||
kernelSrc = config.system.outputs.kernel.src;
|
||||
|
@ -31,6 +52,35 @@ let
|
|||
targets = [
|
||||
"nft_fib_ipv4"
|
||||
"nft_fib_ipv6"
|
||||
"nf_log_syslog"
|
||||
|
||||
"ip6_tables"
|
||||
"ip_tables"
|
||||
"iptable_nat"
|
||||
"nf_conntrack"
|
||||
"nf_defrag_ipv4"
|
||||
"nf_defrag_ipv6"
|
||||
"nf_log_syslog"
|
||||
"nf_nat"
|
||||
"nf_reject_ipv4"
|
||||
"nf_reject_ipv6"
|
||||
"nf_tables"
|
||||
"nft_chain_nat"
|
||||
"nft_ct"
|
||||
"nft_fib"
|
||||
"nft_fib_ipv4"
|
||||
"nft_fib_ipv6"
|
||||
"nft_log"
|
||||
"nft_masq"
|
||||
"nft_nat"
|
||||
"nft_reject"
|
||||
"nft_reject_inet"
|
||||
"nft_reject_ipv4"
|
||||
"nft_reject_ipv6"
|
||||
"x_tables"
|
||||
"xt_MASQUERADE"
|
||||
"xt_nat"
|
||||
"xt_tcpudp"
|
||||
];
|
||||
kconfig = kconf true;
|
||||
};
|
||||
|
@ -55,41 +105,13 @@ in
|
|||
};
|
||||
};
|
||||
in svc // {
|
||||
build = args : (svc.build args) // {
|
||||
dependencies = [ loadModules ] ++ (svc.dependencies or []);
|
||||
};
|
||||
build = args :
|
||||
let args' = args // {
|
||||
dependencies = (args.dependencies or []) ++ [loadModules];
|
||||
};
|
||||
in svc.build args' ;
|
||||
};
|
||||
|
||||
# For historical reasons the kernel config is split between
|
||||
# monolithic options and modules. TODO: go through this list
|
||||
# and see what can be moved into the "kconf" definiton above
|
||||
kernel.config = {
|
||||
NETFILTER_XT_MATCH_CONNTRACK = "y";
|
||||
|
||||
IP6_NF_IPTABLES= "y";
|
||||
IP_NF_IPTABLES= "y";
|
||||
|
||||
IP_NF_NAT = "y";
|
||||
IP_NF_TARGET_MASQUERADE = "y";
|
||||
NETFILTER = "y";
|
||||
NETFILTER_ADVANCED = "y";
|
||||
NETFILTER_XTABLES = "y";
|
||||
|
||||
NFT_COMPAT = "y";
|
||||
NFT_CT = "y";
|
||||
NFT_LOG = "y";
|
||||
NFT_MASQ = "y";
|
||||
NFT_NAT = "y";
|
||||
NFT_REJECT = "y";
|
||||
NFT_REJECT_INET = "y";
|
||||
|
||||
NF_CONNTRACK = "y";
|
||||
NF_NAT = "y";
|
||||
NF_NAT_MASQUERADE = "y";
|
||||
NF_TABLES= "y";
|
||||
NF_TABLES_INET = "y";
|
||||
NF_TABLES_IPV4 = "y";
|
||||
NF_TABLES_IPV6 = "y";
|
||||
};
|
||||
kernel.config = kconf true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,11 +11,7 @@
|
|||
}:
|
||||
let
|
||||
writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
|
||||
arch = if stdenv.isMips
|
||||
then "mips"
|
||||
else if stdenv.isAarch64
|
||||
then "arm64"
|
||||
else throw "unknown arch";
|
||||
arch = stdenv.hostPlatform.linuxArch;
|
||||
in stdenv.mkDerivation {
|
||||
name = "kernel-modules";
|
||||
|
||||
|
@ -38,7 +34,6 @@ in stdenv.mkDerivation {
|
|||
cat .more-config >> .config
|
||||
make olddefconfig
|
||||
for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
|
||||
# grep =m .config
|
||||
make modules
|
||||
'';
|
||||
src = modulesupport;
|
||||
|
|
Loading…
Reference in New Issue