allow lan dns queries (ipv6)

rotuer: network debugging tools
rotuer: don't forward queries for local domain
2024-02-11 23:31:15 +00:00 · 2024-02-11 23:30:46 +00:00 · 2024-02-11 23:30:12 +00:00 · 2024-02-11 15:46:18 +00:00 · 2024-02-11 15:46:18 +00:00 · 2024-02-11 15:46:18 +00:00
10 changed files with 160 additions and 32 deletions
--- a/THOUGHTS.txt
+++ b/THOUGHTS.txt
@ -3952,3 +3952,64 @@ I can actually use it as a CPE. This means
 - would be quite cool to run sniproxy instead of forwarding to
  loaclhost (extra credit)
 Sat Feb 10 12:41:12 GMT 2024
  s6-linux-init version 1.1.2.0
 nfnetlink: module verification failed: signature and/or required key missing - tainting kernel
 ------------[ cut here ]------------
 kernel BUG at net/wireless/core.h:125!
 Internal error: Oops - BUG: 0 [#1] SMP ARM
 Modules linked in: cfg80211(E+) nfnetlink(E)
 CPU: 0 PID: 197 Comm: insmod Tainted: G            E      6.7.4 #1
 Hardware name: Marvell Armada 380/385 (Device Tree)
 PC is at cfg80211_netdev_notifier_call+0x2cc/0x3e0 [cfg80211]
 LR is at call_netdevice_register_net_notifiers+0x4c/0xec
 pc : [<bf010024>]    lr : [<c0672e30>]    psr: 60000013
 sp : f0ba5c10  ip : fffffffb  fp : c328df00
 r10: c15c4170  r9 : c328df00  r8 : 00000000
 r7 : 00000000  r6 : bf04c620  r5 : c10c9000  r4 : c11ff414
 r3 : 00000000  r2 : f0ba5df4  r1 : 00000005  r0 : bf04c620
 Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
 Control: 10c5387d  Table: 0320804a  DAC: 00000051
 R
 cfg80211_netdev_notifier_call [cfg80211] from call_netdevice_register_net_notifiers+0x4c/0xec
 setenv omnia_reset 1; run bootcmd_rescue
 Sat Feb 10 18:23:54 GMT 2024
 ARGH KERNEL
 You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect
 later to separately build some modules that use it, because there are
 a bunch of symbols that only get defined if certain other CONFIG
 options are set at the time that the monolithic kernel is built.
 https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689
 Another example is
 https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160
 - if you decide after building the kernel that you're going to build
 some wireless modules, you can't do that without rebuilding the kernel
 so that it knows to expect them
 The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run  make modules, you cannot in general expect that newly compiled  module to work.
 AP advertised VHT without HT, disabling HT/VHT/HE
 TODO
 - support kernel version as parameter to builder pkgs/kernel/default.nix
 - extract the change in how module loading works from omnia device config,
  and fix the other thing that uses it
 - wlan module to take 'backported' as a parameter
  half of the omnia conditionalConfig can go into the module
 - upgrade omnia to kernel v6
 - figure out what mdns we need for local hostname resolution
  (maybe bridging lan/wlan)?
 - [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE"
 - [DONE] add local domain to secrets
 - run sniproxy instead of forwarding
 - forward some port to loaclhost 22 for inbound ipv4 ssh
--- a/devices/turris-omnia/default.nix
+++ b/devices/turris-omnia/default.nix
@ -182,12 +182,10 @@
        kernel = {
          src = pkgs.pkgsBuildBuild.fetchurl {
            name = "linux.tar.gz";
-            url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
+            url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.7.4.tar.gz";
-            hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
+            hash = "sha256-wIrmL0BS63nRwWfm4nw+dRNVPUzGh9M4X7LaHzAn5tU=";
          };
-          extraPatchPhase = ''
+          version = "6.7.4";
            ${pkgs.openwrt.applyPatches.mvebu}
          '';
          config = {
            PCI = "y";
            OF = "y";
@ -203,6 +201,10 @@
            RTC_CLASS = "y";
            RTC_DRV_ARMADA38X = "y"; # this may be useful anyway?
            EXPERT = "y";
            ALLOW_DEV_COREDUMP = "n";
            # dts has a compatible for this but dmesg is not
            # showing it
            EEPROM_AT24 = "y"; # atmel,24c64
@ -213,9 +215,9 @@
            MACH_ARMADA_38X = "y";
            SMP = "y";
-	          # this is disabled for the moment because it relies on a GCC
+	          # this is disabled for the moment because it relies on a
-            # plugin that requires gmp.h to build, and I can't see right now
+            # GCC plugin that requires gmp.h to build, and I can't see
-            # how to confgure it to find gmp
+            # right now how to confgure it to find gmp
            STACKPROTECTOR_PER_TASK = "n";
            NR_CPUS = "4";
            VFP = "y";
@ -227,7 +229,7 @@
            PSTORE = "y";
            PSTORE_RAM = "y";
            PSTORE_CONSOLE = "y";
-            PSTORE_DEFLATE_COMPRESS = "n";
+#            PSTORE_DEFLATE_COMPRESS = "n";
            BLOCK = "y";
            MMC="y";
@ -286,9 +288,25 @@
              USB_XHCI_MVEBU = "y";
              USB_XHCI_HCD = "y";
            };
            WLAN = {
              CFG80211 = "m";
              MAC80211 = "m";
              CFG80211_CERTIFICATION_ONUS = "y";
              CFG80211_REQUIRE_SIGNED_REGDB = "n"; # depends on ONUS
              CFG80211_CRDA_SUPPORT = "n";
              WLAN_VENDOR_ATH = "y";
              ATH_COMMON = "m";
              ATH9K = "m";
              ATH9K_PCI = "y";
              ATH10K = "m";
              ATH10K_PCI = "m";
              ATH10K_DEBUG = "y";
            };
          };
        };
        boot = {
          commandLine = [
            "console=ttyS0,115200"
@ -328,10 +346,41 @@
        };
        hardware = let
-          mac80211 = pkgs.mac80211.override {
+          mac80211 =
-            drivers = ["ath9k_pci" "ath10k_pci"];
+            let
-            klibBuild = config.system.outputs.kernel.modulesupport;
+              targets = [
-          };
+                "ath9k"
                "ath10k_pci"
              ];
              kmodules = pkgs.runCommand "modules" {
                nativeBuildInputs = with pkgs.pkgsBuildBuild ;[
                  kmod cpio gawk
                ];
              } ''
                kernel=${config.system.outputs.kernel.modulesupport}
                mkdir -p lib/modules/0.0
                (cd $kernel && find . -name \*.ko | cpio --verbose --make-directories -p $NIX_BUILD_TOP/lib/modules/0.0)
                cp $kernel/modules.* lib/modules/0.0
                depmod -b . 0.0
                (for i in ${lib.concatStringsSep " " targets}; do
                  modprobe -S 0.0 -d  $NIX_BUILD_TOP --show-depends $i | sed "s,^insmod $NIX_BUILD_TOP/lib/modules/0.0/,,g"
                done) | awk '!a[$0]++' > load-order
                mkdir $out
                for i in $(cat load-order); do
                  install -v $NIX_BUILD_TOP/lib/modules/0.0/$i -D $out/$i
                done
                echo "O=$out" > $out/load.sh
                sed "s,^,insmod \$O/,g" < load-order >> $out/load.sh
                echo "O=$out" > $out/unload.sh
                tac load-order | sed "s,^,rmmod \$O/,g" > $out/unload.sh
              ''; in
            oneshot {
              name = "mac80211-modules";
              up = "sh ${kmodules}/load.sh";
              down = "sh ${kmodules}/unload.sh";
            };
        in {
          defaultOutput = "mtdimage";
          loadAddress = lim.parseInt "0x00800000"; # "0x00008000";
@ -339,9 +388,9 @@
          rootDevice = "/dev/mmcblk0p1";
          dts = {
-            src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/armada-385-turris-omnia.dts";
+            src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/armada-385-turris-omnia.dts";
            includes =  [
-              "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/"
+              "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/"
            ];
          };
          flash.eraseBlockSize = 65536; # only used for tftpboot
--- a/examples/arhcive.nix
+++ b/examples/arhcive.nix
@ -145,7 +145,7 @@ in rec {
    };
  users.root = {
-    passwd = lib.mkForce secrets.root_password;
+    passwd = lib.mkForce secrets.root.passwd;
    # openssh.authorizedKeys.keys = [
    #   (builtins.readFile "/home/dan/.ssh/id_rsa.pub")
    # ];
--- a/examples/demo-firewall.nix
+++ b/examples/demo-firewall.nix
@ -107,6 +107,7 @@ in {
    rules = [
      (accept "udp dport 547") # dhcp, could restrict to daddr ff02::1:2
      (accept "udp dport 53") # dns
      (accept "tcp dport 22")
    ];
  };
--- a/examples/extneder.nix
+++ b/examples/extneder.nix
@ -131,6 +131,6 @@ in rec {
    dependencies = [services.dhcpc];
  };
-  users.root.passwd = lib.mkForce secrets.root_password;
+  users.root.passwd = lib.mkForce secrets.root.passwd;
  defaultProfile.packages = with pkgs; [nftables strace tcpdump swconfig];
 }
--- a/examples/rotuer-secrets.example.nix
+++ b/examples/rotuer-secrets.example.nix
@ -1,5 +1,6 @@
-rec {
+{
  wpa_passphrase = "you bring light in";
  ssid = "liminix";
  l2tp = {
    name = "abcde@a.1";
    password = "NotMyIspPassword";
@ -10,9 +11,9 @@ rec {
    openssh.authorizedKeys.keys = [
    ];
  };
-  root_password = root.passwd;
+
  lan = {
-    prefix = "10.8.0"; # "192.168.8";
+    prefix = "10.8.0";
  };
 }
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -8,7 +8,10 @@
 { config, pkgs, lib, ... } :
 let
-  secrets = import ./rotuer-secrets.nix;
+  secrets = {
    domainName = "fake.liminix.org";
    firewallRules = {};
  } // (import ./rotuer-secrets.nix);
  inherit (pkgs.liminix.services) oneshot longrun bundle;
  inherit (pkgs) serviceFns;
  svc = config.system.service;
@ -23,6 +26,7 @@ let
    wmm_enabled = 1;
  };
 in rec {
  boot = {
    tftp = {
@ -55,7 +59,7 @@ in rec {
  services.hostap = svc.hostapd.build {
    interface = config.hardware.networkInterfaces.wlan;
    params = {
-      ssid = "liminix";
+      ssid = secrets.ssid;
      hw_mode="g";
      channel = "2";
      ieee80211n = 1;
@ -65,7 +69,7 @@ in rec {
  services.hostap5 = svc.hostapd.build {
    interface = config.hardware.networkInterfaces.wlan5;
    params = rec {
-      ssid = "liminix_5";
+      ssid = "${secrets.ssid}5";
      hw_mode="a";
      channel = 36;
      ht_capab = "[HT40+]";
@ -84,7 +88,8 @@ in rec {
  services.bridge =  svc.bridge.members.build {
    primary = services.int;
    members = with config.hardware.networkInterfaces;
-      [ wlan
+      [
        wlan
        wlan5
        lan0
        lan1
@ -120,8 +125,8 @@ in rec {
      # You can add static addresses for the DHCP server here.  I'm
      # not putting my actual MAC addresses in a public git repo ...
      hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
-
+      upstreams = [ "/${secrets.domainName}/" ];
-      domain = "fake.liminix.org";
+      domain = secrets.domainName;
    };
  services.wan = svc.pppoe.build {
@ -194,6 +199,9 @@ in rec {
  defaultProfile.packages = with pkgs; [
    min-collect-garbage
    nftables
    strace
    tcpdump
  ];
  programs.busybox.applets = [
--- a/modules/kernel.nix
+++ b/modules/kernel.nix
@ -27,6 +27,7 @@ in {
  options = {
    kernel = {
      src = mkOption { type = types.path; } ;
      version = mkOption { type = types.str; default = "5.15.137";} ;
      modular = mkOption {
        type = types.bool;
        default = true;
@ -79,7 +80,8 @@ in {
          config.kernel.conditionalConfig;
        k = liminix.builders.kernel.override {
          config = mergedConfig;
-          inherit (config.kernel) src extraPatchPhase;
+          version = builtins.trace config.kernel.version config.kernel.version;
          inherit (config.kernel)  src extraPatchPhase;
          targets = config.kernel.makeTargets;
        };
      in {
--- a/modules/wlan.nix
+++ b/modules/wlan.nix
@ -46,6 +46,10 @@ in {
        CRYPTO_SHA1 = "y";
        ENCRYPTED_KEYS = "y";
        KEYS = "y";
        # see note in include/linux/netdevice.h re LL_MAX_HEADER
        WLAN = "y";
      };
    };
  };
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@ -6,6 +6,7 @@
 , config
 , src
 , version ? "1"
 , extraPatchPhase ? "echo"
 , targets ? ["vmlinux"]
 } :
@ -23,6 +24,7 @@ stdenv.mkDerivation rec {
                      (with buildPackages.pkgs; [
                        rsync bc bison flex pkg-config
                        openssl ncurses.all perl
                        cpio
                      ]);
  CC = "${stdenv.cc.bintools.targetPrefix}gcc";
  HOSTCC = with buildPackages.pkgs;
@ -51,9 +53,9 @@ stdenv.mkDerivation rec {
  patches = [
    ./cmdline-cookie.patch
    ./phram-allow-cached-mappings.patch
    ./mips-malta-fdt-from-bootloader.patch
-  ];
+  ] ++ lib.optional (lib.versionOlder version "6.0")
    ./phram-allow-cached-mappings.patch;
  # this is here to work around what I think is a bug in nixpkgs
  # packaging of ncurses: it installs pkg-config data files which
@ -103,8 +105,8 @@ stdenv.mkDerivation rec {
    mkdir -p $headers
    cp -a include .config $headers/
    mkdir -p $modulesupport
-    cp modules.* $modulesupport
+    cp modules.* vmlinux.o $modulesupport
-    make clean modules_prepare
+    make modules
    cp -a . $modulesupport
  '';
 }
Author	SHA1	Message	Date
Daniel Barlow	3792ec1f39	allow lan dns queries (ipv6)	2024-02-11 23:31:15 +00:00
Daniel Barlow	f71e8d5710	rotuer: network debugging tools	2024-02-11 23:30:46 +00:00
Daniel Barlow	d3bde4533b	rotuer: don't forward queries for local domain	2024-02-11 23:30:12 +00:00
Daniel Barlow	0e941a8686	deep thoughts	2024-02-11 15:46:18 +00:00
Daniel Barlow	f023f7a0de	deep thoughts	2024-02-11 15:46:18 +00:00
Daniel Barlow	6c61d88a3a	deep thoughts	2024-02-11 15:46:18 +00:00
Daniel Barlow	bbce605a14	WIP-but-works: mainline kernel for Turris Omnia	2024-02-11 15:46:18 +00:00
Daniel Barlow	e6705c4d06	rotuer: make domainName configurable	2024-02-11 15:40:28 +00:00
Daniel Barlow	6684d34a43	add wifi ssid to secrets	2024-02-11 15:40:17 +00:00
Daniel Barlow	a8c6d5d8a4	remove root_password secret, is dup of root.passwd	2024-02-11 15:40:11 +00:00