sif: network for libvirtd

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-06-22 10:50:52 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-06-22 10:50:52 +0200
commit: 9342cee52c63d50234db346ca0909caba0f94475 (patch)
tree: 52f86459557914b1bdd4ca52285d7fd8cd6ef554
parent: 5d640c6dbb9708296b761c8de89565043962c0a7 (diff)
download: nixos-9342cee52c63d50234db346ca0909caba0f94475.tar
nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.gz
nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.bz2
nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.xz
nixos-9342cee52c63d50234db346ca0909caba0f94475.zip
2 files changed, 111 insertions, 3 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index c3f4bd41..d82222d0 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -56,6 +56,11 @@ in {
      kernelModules = ["v4l2loopback"];
      tmpOnTmpfs = true;
+      kernel.sysctl = {
+        "net.ipv4.ip_forward" = true;
+        "net.ipv6.conf.all.forwarding" = true;
+      };
    };
    networking = {
@@ -106,9 +111,10 @@ in {
      # };
    };
-    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
+    environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
      text = ''
-        server=/sif.libvirt/192.168.122.1
+        except-interface=virbr0
+        server=/libvirt/192.168.122.1@virbr0
      '';
    };
    environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
@@ -153,6 +159,13 @@ in {
            }
          ];
        };
+        virbr0 = {
+          netdevConfig = {
+            Name = "virbr0";
+            Kind = "bridge";
+            MACAddress = "52:54:00:18:85:5b";
+          };
+        };
      };
      networks = {
        wgrz = {
@@ -201,6 +214,16 @@ in {
            DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
          };
        };
+        virbr0 = {
+          name = "virbr0";
+          matchConfig = {
+            Name = "virbr0";
+          };
+          address = ["192.168.122.1/24" "fd45:febc:b028::/48"];
+          networkConfig = {
+            ConfigureWithoutCarrier = true;
+          };
+        };
      };
    };
    sops.secrets.wgrz = {
@@ -210,7 +233,42 @@ in {
      owner = "root";
      group = "systemd-network";
    };
-    networking.networkmanager.unmanaged = ["wgrz"];
+    networking.networkmanager.unmanaged = ["wgrz" "virbr0"];
+    services.dnsmasq = {
+      enable = true;
+      resolveLocalQueries = false;
+      servers = [];
+      extraConfig = ''
+        enable-ra
+        local=/libvirt/
+        domain-needed
+        expand-hosts
+        bogus-priv
+        no-hosts
+        listen-address=192.168.122.1
+        listen-address=fd45:febc:b028::
+        interface=virbr0
+        except-interface=lo
+        bind-interfaces
+        domain=libvirt,192.168.122.0/24
+        dhcp-range=192.168.122.128,192.168.122.254,1h
+        dhcp-range=fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h
+        dhcp-host=52:54:00:18:85:5b,sif,192.168.122.1
+        dhcp-authoritative
+        dhcp-rapid-commit
+        dhcp-option=option6:dns-server,[fd45:febc:b028::]
+      '';
+    };
+    systemd.services.dnsmasq = {
+      bindsTo = ["sys-subsystem-net-devices-virbr0.device"];
+      after = ["sys-subsystem-net-devices-virbr0.device"];
+    };
+    systemd.services.libvirtd = {
+      wants = ["dnsmasq.service"];
+      bindsTo = ["sys-subsystem-net-devices-virbr0.device"];
+      after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"];
+    };
    services.openssh.enable = true;
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 363ffbdc..2a1467b8 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -84,6 +84,10 @@ table inet filter {
  counter tx {}
+  counter fw-libvirt {}
+  counter libvirt-dhcp {}
+  counter libvirt-dns {}
  chain forward {
    type filter hook forward priority filter
@@ -95,6 +99,9 @@ table inet filter {
    iifname lo counter name fw-lo accept
+    iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
+    oifname virbr0 ct state {established, related} counter name fw-libvirt accept
    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
    log level debug prefix "reject forward: " counter name reject-fw
@@ -125,6 +132,11 @@ table inet filter {
    udp dport 51820-51822 counter name wg-rx accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
+    iifname virbr0 udp dport 67 counter name libvirt-dhcp accept
+    iifname virbr0 udp dport 547 counter name libvirt-dhcp accept
+    iifname virbr0 udp dport 53 counter name libvirt-dns accept
+    iifname virbr0 tcp dport 53 counter name libvirt-dns accept
    ct state {established, related} counter name established-rx accept
@@ -153,7 +165,45 @@ table inet filter {
    tcp sport 8000 counter name quickserve-tx accept
+    oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
+    oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
+    oifname virbr0 udp sport 53 counter name libvirt-dns accept
+    oifname virbr0 tcp sport 53 counter name libvirt-dns accept
    counter name tx
  }
 }
+table ip nat {
+  counter libvirt-nat {}
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+  }
+}
+table ip6 nat {
+  counter libvirt-nat {}
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+  }
+}
+table ip mss_clamp {
+  counter libvirt-mss-clamp {}
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+    iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
+  }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-06-22 10:50:52 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-06-22 10:50:52 +0200
commit	9342cee52c63d50234db346ca0909caba0f94475 (patch)
tree	52f86459557914b1bdd4ca52285d7fd8cd6ef554
parent	5d640c6dbb9708296b761c8de89565043962c0a7 (diff)
download	nixos-9342cee52c63d50234db346ca0909caba0f94475.tar nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.gz nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.bz2 nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.xz nixos-9342cee52c63d50234db346ca0909caba0f94475.zip

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index c3f4bd41..d82222d0 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -56,6 +56,11 @@ in {
56	kernelModules = ["v4l2loopback"];	56	kernelModules = ["v4l2loopback"];
57		57
58	tmpOnTmpfs = true;	58	tmpOnTmpfs = true;
		59
		60	kernel.sysctl = {
		61	"net.ipv4.ip_forward" = true;
		62	"net.ipv6.conf.all.forwarding" = true;
		63	};
59	};	64	};
60		65
61	networking = {	66	networking = {
@@ -106,9 +111,10 @@ in {
106	# };	111	# };
107	};	112	};
108		113
109	environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {	114	environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
110	text = ''	115	text = ''
111	server=/sif.libvirt/192.168.122.1	116	except-interface=virbr0
		117	server=/libvirt/192.168.122.1@virbr0
112	'';	118	'';
113	};	119	};
114	environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {	120	environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
@@ -153,6 +159,13 @@ in {
153	}	159	}
154	];	160	];
155	};	161	};
		162	virbr0 = {
		163	netdevConfig = {
		164	Name = "virbr0";
		165	Kind = "bridge";
		166	MACAddress = "52:54:00:18:85:5b";
		167	};
		168	};
156	};	169	};
157	networks = {	170	networks = {
158	wgrz = {	171	wgrz = {
@@ -201,6 +214,16 @@ in {
201	DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];	214	DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
202	};	215	};
203	};	216	};
		217	virbr0 = {
		218	name = "virbr0";
		219	matchConfig = {
		220	Name = "virbr0";
		221	};
		222	address = ["192.168.122.1/24" "fd45:febc:b028::/48"];
		223	networkConfig = {
		224	ConfigureWithoutCarrier = true;
		225	};
		226	};
204	};	227	};
205	};	228	};
206	sops.secrets.wgrz = {	229	sops.secrets.wgrz = {
@@ -210,7 +233,42 @@ in {
210	owner = "root";	233	owner = "root";
211	group = "systemd-network";	234	group = "systemd-network";
212	};	235	};
213	networking.networkmanager.unmanaged = ["wgrz"];	236	networking.networkmanager.unmanaged = ["wgrz" "virbr0"];
		237
		238	services.dnsmasq = {
		239	enable = true;
		240	resolveLocalQueries = false;
		241	servers = [];
		242	extraConfig = ''
		243	enable-ra
		244	local=/libvirt/
		245	domain-needed
		246	expand-hosts
		247	bogus-priv
		248	no-hosts
		249	listen-address=192.168.122.1
		250	listen-address=fd45:febc:b028::
		251	interface=virbr0
		252	except-interface=lo
		253	bind-interfaces
		254	domain=libvirt,192.168.122.0/24
		255	dhcp-range=192.168.122.128,192.168.122.254,1h
		256	dhcp-range=fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h
		257	dhcp-host=52:54:00:18:85:5b,sif,192.168.122.1
		258	dhcp-authoritative
		259	dhcp-rapid-commit
		260	dhcp-option=option6:dns-server,[fd45:febc:b028::]
		261	'';
		262	};
		263	systemd.services.dnsmasq = {
		264	bindsTo = ["sys-subsystem-net-devices-virbr0.device"];
		265	after = ["sys-subsystem-net-devices-virbr0.device"];
		266	};
		267	systemd.services.libvirtd = {
		268	wants = ["dnsmasq.service"];
		269	bindsTo = ["sys-subsystem-net-devices-virbr0.device"];
		270	after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"];
		271	};
214		272
215	services.openssh.enable = true;	273	services.openssh.enable = true;
216		274


diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 363ffbdc..2a1467b8 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft
@@ -84,6 +84,10 @@ table inet filter {
84		84
85	counter tx {}	85	counter tx {}
86		86
		87	counter fw-libvirt {}
		88	counter libvirt-dhcp {}
		89	counter libvirt-dns {}
		90
87		91
88	chain forward {	92	chain forward {
89	type filter hook forward priority filter	93	type filter hook forward priority filter
@@ -95,6 +99,9 @@ table inet filter {
95		99
96	iifname lo counter name fw-lo accept	100	iifname lo counter name fw-lo accept
97		101
		102	iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
		103	oifname virbr0 ct state {established, related} counter name fw-libvirt accept
		104
98		105
99	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop	106	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
100	log level debug prefix "reject forward: " counter name reject-fw	107	log level debug prefix "reject forward: " counter name reject-fw
@@ -125,6 +132,11 @@ table inet filter {
125	udp dport 51820-51822 counter name wg-rx accept	132	udp dport 51820-51822 counter name wg-rx accept
126	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept	133	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
127		134
		135	iifname virbr0 udp dport 67 counter name libvirt-dhcp accept
		136	iifname virbr0 udp dport 547 counter name libvirt-dhcp accept
		137	iifname virbr0 udp dport 53 counter name libvirt-dns accept
		138	iifname virbr0 tcp dport 53 counter name libvirt-dns accept
		139
128	ct state {established, related} counter name established-rx accept	140	ct state {established, related} counter name established-rx accept
129		141
130		142
@@ -153,7 +165,45 @@ table inet filter {
153		165
154	tcp sport 8000 counter name quickserve-tx accept	166	tcp sport 8000 counter name quickserve-tx accept
155		167
		168	oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
		169	oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
		170	oifname virbr0 udp sport 53 counter name libvirt-dns accept
		171	oifname virbr0 tcp sport 53 counter name libvirt-dns accept
		172
156		173
157	counter name tx	174	counter name tx
158	}	175	}
159	}	176	}
		177
		178	table ip nat {
		179	counter libvirt-nat {}
		180
		181	chain postrouting {
		182	type nat hook postrouting priority srcnat
		183	policy accept
		184
		185	iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
		186	}
		187	}
		188
		189	table ip6 nat {
		190	counter libvirt-nat {}
		191
		192	chain postrouting {
		193	type nat hook postrouting priority srcnat
		194	policy accept
		195
		196	iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
		197	}
		198	}
		199
		200	table ip mss_clamp {
		201	counter libvirt-mss-clamp {}
		202
		203	chain postrouting {
		204	type filter hook postrouting priority mangle
		205	policy accept
		206
		207	iifname virbr0 oifname != virbr0 tcp flags & (syn\|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
		208	}
		209	} \ No newline at end of file