dan/liminix
1
0
Fork 5
Code

Compare commits

base: dan:ce207e47636eb4de8bf7474537912c45ec20b071
Branches Tags
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
dan:v1.0.0
...
compare: dan:b002a94e07a8165286aa7ee4571c296b2bf8d0fc
Branches Tags
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
dan:v1.0.0

6 Commits
ce207e4763 ... b002a94e07

Author SHA1 Message Date
Daniel Barlow
b002a94e07 rotuer: use firewallgen to make packet filter rules 2023-06-20 20:20:32 +01:00
Daniel Barlow
d79a1e15bb get fennel from source instead of luarocks 2023-06-20 20:19:11 +01:00
Daniel Barlow
340f7211ef remove unused packages 2023-06-20 20:13:59 +01:00
Daniel Barlow
3dd247a719 update arch for gl-ar750 
not sure this is needed, tbh
 2023-06-20 20:11:25 +01:00
Daniel Barlow
c1ba067fad remove deps from chrony 
it's trying to build Perl and all manner of stuff that for
our purposes I don't think we need
 2023-06-20 20:09:17 +01:00
Daniel Barlow
435a36f267 delete unused derivations in overlay 2023-06-20 20:06:36 +01:00
5 changed files with 159 additions and 70 deletions
Show Stats Expand all files Collapse all files

2
devices/gl-ar750/default.nix
View File

@ -12,7 +12,7 @@
config = "mips-unknown-linux-musl";
gcc = {
abi = "32";
arch = "mips32"; # maybe mips_24kc-
arch = "24kc"; # maybe mips_24kc-
};
};
};

124
examples/rotuer-firewall.nix Normal file
View File

@ -0,0 +1,124 @@
let
drop = expr : "${expr} drop";
accept = expr : "${expr} accept";
mcast-scope = 8;
allow-incoming = false;
bogons-ip6 = {
type = "filter";
family = "ip6";
rules = [
(drop "ip6 saddr ff00::/8") # multicast saddr is illegal
(drop "ip6 saddr ::/128") # unspecified address
(drop "ip6 daddr ::/128")
(drop "ip6 saddr 2001:db8::/32") # documentation addresses
(drop "ip6 daddr 2001:db8::/32")
# I think this means "check FIB for (saddr, iif) to see if we
# could route a packet to that address using that interface",
# and if we can't then it was an inapproppriate source address
# for packets received _from_ said interface
(drop "fib saddr . iif oif eq 0")
(drop "icmpv6 type router-renumbering")
(drop "icmpv6 type 139") # Node Information Query
(drop "icmpv6 type 140") # Node Information Response
(drop "icmpv6 type 100")
(drop "icmpv6 type 101")
(drop "icmpv6 type 200")
(drop "icmpv6 type 201")
(drop "icmpv6 type 127")
(drop "icmpv6 type 255")
(drop "icmpv6 type destination-unreachable ct state invalid,untracked")
];
};
forward-ip6 = {
type = "filter";
family = "ip6";
policy = "drop";
hook = "forward";
rules = [
"jump bogons-ip6"
(drop "ip6 saddr ::1/128") # loopback address [RFC4291]
(drop "ip6 daddr ::1/128")
(drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
(drop "ip6 daddr ::FFFF:0:0/96")
(drop "ip6 saddr fe80::/10") # link-local unicast
(drop "ip6 daddr fe80::/10")
(drop "ip6 saddr fc00::/7") # unique-local addresses
(drop "ip6 daddr fc00::/7")
(drop "ip6 saddr 2001:10::/28") # ORCHID [RFC4843].
(drop "ip6 daddr 2001:10::/28")
(drop "ip6 saddr fc00::/7") # unique local source
(drop "ip6 daddr fc00::/7") # and/or dst addresses [RFC4193]
# multicast with wrong scopes
(drop
# dest addr first byte 0xff, low nibble of second byte <= scope
# https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
"@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}")
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp")
(accept "meta l4proto icmpv6")
(accept "meta l4proto ah")
(accept "meta l4proto esp")
# does this ever get used or does the preceding general udp accept
# already grab anything that might get here?
(accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
(accept "ip6 nexthdr hip")
## FIXME no support yet for recs 27-30 Mobility Header
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto tcp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto tcp")
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto sctp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto sctp")
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto dccp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto dccp")
# we can allow all reasonable inbound, or we can use an explicit
# allowlist to enumerate the endpoints that are allowed to
# accept inbound from the WAN
(if allow-incoming
then accept "oifname \"int\" iifname \"ppp0\""
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
)
# allow all outbound and any inbound that's part of a
# recognised (outbound-initiated) flow
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" ")
];
};
input-ip6 = {
type = "filter";
family = "ip6";
policy = "drop";
hook = "input";
rules = [
"jump bogons-ip6"
(accept "meta l4proto icmpv6")
(if allow-incoming
then accept "oifname \"int\" iifname \"ppp0\""
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
)
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" ")
];
};
incoming-allowed-ip6 = {
type = "filter";
family = "ip6";
rules = [
"oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
];
};
in {
inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
}

14
examples/rotuer.nix
View File

@ -226,15 +226,23 @@ in rec {
dependencies = [ services.wan ];
};
services.firewall =
let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
in oneshot {
name = "firewall";
up = config;
down = "${pkgs.nftables}/bin/nft flush ruleset";
};
services.packet_forwarding =
let filename = "/proc/sys/net/ipv4/conf/all/forwarding";
in oneshot {
name = "let-the-ip-flow";
up = ''
${pkgs.nftables}/bin/nft -f ${../nat.nft}
echo 1 > ${filename}
'';
down = "echo 0 > ${filename}";
dependencies = [ services.firewall ];
};
services.dhcp6 =
@ -280,5 +288,7 @@ in rec {
acquire-lan-prefix
];
};
defaultProfile.packages = with pkgs; [min-collect-garbage nftables tcpdump] ;
defaultProfile.packages = with pkgs; [
min-collect-garbage
];
}

67
overlay.nix
View File

@ -47,8 +47,6 @@ extraPkgs // {
];
});
# openssl is reqired by ntp
rsyncSmall = prev.rsync.overrideAttrs(o: {
configureFlags = o.configureFlags ++ [
"--disable-openssl"
@ -68,30 +66,14 @@ extraPkgs // {
nss = null;
nspr = null;
readline = null;
libedit = null;
libcap = null;
libseccomp = null;
};
# should texinfo be in nativeBuildInputs instead of
# buildInputs?
texinfo = null;
ntp =
let
openssl = prev.openssl.overrideAttrs(o: {
preInstall = ''
find . -name libcrypto.so.3 -ls
$STRIP lib*.so.*
'';
});
ntp_ = prev.ntp.overrideAttrs(o: {
outputs = [
"out"
"man"
"perllib"
"doc"
];
postInstall = ''
mkdir -p $perllib
moveToOutput "share/ntp" $perllib
'';
});
in ntp_.override { inherit openssl; };
};
strace = prev.strace.override { libunwind = null; };
@ -184,41 +166,4 @@ extraPkgs // {
});
pppBuild = prev.ppp;
pppOld =
(prev.ppp.override {
libpcap = null;
}).overrideAttrs (o : {
stripAllList = [ "bin" ];
buildInputs = [];
# patches =
# o.patches ++
# [(final.fetchpatch {
# name = "ipv6-script-options.patch";
# url = "https://github.com/ppp-project/ppp/commit/874c2a4a9684bf6938643c7fa5ff1dd1cf80aea4.patch";
# sha256 = "sha256-K46CKpDpm1ouj6jFtDs9IUMHzlRMRP+rMPbMovLy3o4=";
# })];
postPatch = ''
sed -i -e 's@_PATH_VARRUN@"/run/"@' pppd/main.c
sed -i -e 's@^FILTER=y@# FILTER unset@' pppd/Makefile.linux
sed -i -e 's/-DIPX_CHANGE/-UIPX_CHANGE/g' pppd/Makefile.linux
'';
buildPhase = ''
runHook preBuild
make -C pppd CC=$CC USE_TDB= HAVE_MULTILINK= USE_EAPTLS= USE_CRYPT=y
make -C pppd/plugins/pppoe CC=$CC
make -C pppd/plugins/pppol2tp CC=$CC
runHook postBuild;
'';
installPhase = ''
runHook preInstall
mkdir -p $out/bin $out/lib/pppd/2.4.9
cp pppd/pppd pppd/plugins/pppoe/pppoe-discovery $out/bin
cp pppd/plugins/pppoe/pppoe.so $out/lib/pppd/2.4.9
cp pppd/plugins/pppol2tp/{open,pppo}l2tp.so $out/lib/pppd/2.4.9
runHook postInstall
'';
postFixup = "";
});
}

22
pkgs/write-fennel-script/default.nix
View File

@ -2,20 +2,30 @@
runCommand
, luaSmall
, runtimeShell
, fetchurl
, lib
, lua53Packages
}:
let lua = luaSmall;
let inherit (lua53Packages) lua;
in name : packages : source :
let
luapath = builtins.map (f: "${f}/share/lua/${lua.luaversion}/?.lua;") packages;
luacpath = builtins.map (f: "${f}/lib/lua/${lua.luaversion}/?.so;") packages;
in runCommand name {} ''
fennel = fetchurl {
url = "https://fennel-lang.org/downloads/fennel-1.3.0";
hash = "sha256-hYSD3rBYF8iTjBOA1m+TvUu8BSp8q6uIMUXi0xwo/dU=";
};
luapath = builtins.map (f: "${f}/share/lua/${luaSmall.luaversion}/?.lua;") packages;
luacpath = builtins.map (f: "${f}/lib/lua/${luaSmall.luaversion}/?.so;") packages;
in runCommand name {
nativeBuildInputs = [ lua ];
} ''
echo $PATH
#!${runtimeShell}
(
echo "#!${lua}/bin/lua"
echo "#!${luaSmall}/bin/lua"
echo "package.path = ${lib.strings.escapeShellArg luapath} .. package.path"
echo "package.cpath = ${lib.strings.escapeShellArg luacpath} .. package.cpath"
${lua.pkgs.fennel}/bin/fennel --correlate --compile ${source}
lua ${fennel} --correlate --compile ${source}
) > $out
chmod a+x $out
''