diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-14 04:14:32 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-14 04:14:32 +0100 |
commit | c923294b84cdd22bc171337335735cd564f9a03c (patch) | |
tree | 4d5b08e6473867b41887d1f428e3d5a3b95aa9b8 /hosts/vidhar/network | |
parent | 947aac1ca6c930d94776124c60df2ce8b2b59621 (diff) | |
download | nixos-c923294b84cdd22bc171337335735cd564f9a03c.tar nixos-c923294b84cdd22bc171337335735cd564f9a03c.tar.gz nixos-c923294b84cdd22bc171337335735cd564f9a03c.tar.bz2 nixos-c923294b84cdd22bc171337335735cd564f9a03c.tar.xz nixos-c923294b84cdd22bc171337335735cd564f9a03c.zip |
Revert "vidhar: ..."
This reverts commit ac71bc3f6216a247615ce36c6eddf25365b00a76.
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r-- | hosts/vidhar/network/default.nix | 94 | ||||
-rw-r--r-- | hosts/vidhar/network/dsl.nix | 15 | ||||
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 47 |
3 files changed, 37 insertions, 119 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 29d4ba92..a1d1b172 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
@@ -21,7 +21,7 @@ | |||
21 | { address = "10.141.1.1"; prefixLength = 24; } | 21 | { address = "10.141.1.1"; prefixLength = 24; } |
22 | ]; | 22 | ]; |
23 | }; | 23 | }; |
24 | interfaces."wifibh" = { | 24 | interfaces."dmz01" = { |
25 | ipv4.addresses = [ | 25 | ipv4.addresses = [ |
26 | { address = "10.141.2.1"; prefixLength = 24; } | 26 | { address = "10.141.2.1"; prefixLength = 24; } |
27 | ]; | 27 | ]; |
@@ -32,11 +32,11 @@ | |||
32 | id = 2; | 32 | id = 2; |
33 | interface = "eno2"; | 33 | interface = "eno2"; |
34 | }; | 34 | }; |
35 | "eno2.lan" = { | 35 | lan = { |
36 | id = 3; | 36 | id = 3; |
37 | interface = "eno2"; | 37 | interface = "eno2"; |
38 | }; | 38 | }; |
39 | wifibh = { | 39 | dmz01 = { |
40 | id = 4; | 40 | id = 4; |
41 | interface = "eno2"; | 41 | interface = "eno2"; |
42 | }; | 42 | }; |
@@ -70,6 +70,13 @@ | |||
70 | option domain-name-servers 10.141.1.1; | 70 | option domain-name-servers 10.141.1.1; |
71 | option broadcast-address 10.141.1.255; | 71 | option broadcast-address 10.141.1.255; |
72 | } | 72 | } |
73 | |||
74 | subnet 10.141.2.0 netmask 255.255.255.0 { | ||
75 | range 10.141.2.128 10.141.2.254; | ||
76 | option domain-name-servers 10.141.2.1; | ||
77 | option broadcast-address 10.141.2.255; | ||
78 | option routers 10.141.2.1; | ||
79 | } | ||
73 | ''; | 80 | ''; |
74 | machines = [ | 81 | machines = [ |
75 | { | 82 | { |
@@ -89,81 +96,16 @@ | |||
89 | } | 96 | } |
90 | ]; | 97 | ]; |
91 | }; | 98 | }; |
92 | systemd.network = { | 99 | systemd.network.networks = { |
93 | netdevs = { | 100 | "eno1" = { |
94 | "wifibh01" = { | 101 | matchConfig.Name = "eno1"; |
95 | netdevConfig = { | 102 | linkConfig = { |
96 | Name = "wifibh01"; | 103 | ActivationPolicy = "down"; |
97 | Kind = "gretap"; | ||
98 | }; | ||
99 | tunnelConfig = { | ||
100 | Local = "10.141.2.1"; | ||
101 | Remote = "10.141.2.2"; | ||
102 | }; | ||
103 | }; | ||
104 | "wifibh01.lan" = { | ||
105 | netdevConfig = { | ||
106 | Name = "wifibh01.lan"; | ||
107 | Kind = "vlan"; | ||
108 | }; | ||
109 | vlanConfig = { | ||
110 | Id = 2; | ||
111 | }; | ||
112 | }; | ||
113 | lan = { | ||
114 | netdevConfig = { | ||
115 | Name = "lan"; | ||
116 | Kind = "bridge"; | ||
117 | }; | ||
118 | }; | 104 | }; |
119 | }; | 105 | }; |
120 | 106 | "eno2" = { | |
121 | networks = { | 107 | matchConfig.Name = "eno2"; |
122 | "eno1" = { | 108 | networkConfig.LinkLocalAddressing = "no"; |
123 | matchConfig.Name = "eno1"; | ||
124 | linkConfig = { | ||
125 | ActivationPolicy = "down"; | ||
126 | }; | ||
127 | }; | ||
128 | "eno2" = { | ||
129 | matchConfig.Name = "eno2"; | ||
130 | networkConfig.LinkLocalAddressing = "no"; | ||
131 | }; | ||
132 | "40-wifibh" = { | ||
133 | matchConfig.Name = "wifibh"; | ||
134 | networkConfig = { | ||
135 | Tunnel = ["wifibh01"]; | ||
136 | }; | ||
137 | }; | ||
138 | "wifibh01" = { | ||
139 | matchConfig.Name = "wifibh01"; | ||
140 | linkConfig = { | ||
141 | MACAddress = "02:01:00:00:00:00"; | ||
142 | RequiredForOnline = false; | ||
143 | }; | ||
144 | networkConfig = { | ||
145 | LinkLocalAddressing = "no"; | ||
146 | VLAN = ["wifibh01.lan"]; | ||
147 | }; | ||
148 | }; | ||
149 | "wifibh01.lan" = { | ||
150 | matchConfig.Name = "wifibh01.lan"; | ||
151 | networkConfig.Bridge = "lan"; | ||
152 | extraConfig = '' | ||
153 | [Bridge] | ||
154 | HairPin = true | ||
155 | Cost = 10 | ||
156 | ''; | ||
157 | }; | ||
158 | "40-eno2.lan" = { | ||
159 | matchConfig.Name = "eno2.lan"; | ||
160 | networkConfig.Bridge = "lan"; | ||
161 | extraConfig = '' | ||
162 | [Bridge] | ||
163 | HairPin = false | ||
164 | Cost = 1 | ||
165 | ''; | ||
166 | }; | ||
167 | }; | 109 | }; |
168 | }; | 110 | }; |
169 | }; | 111 | }; |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 9c9a57b8..ae2caec2 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix | |||
@@ -95,6 +95,13 @@ in { | |||
95 | rdnss = [{ servers = ["::"]; }]; | 95 | rdnss = [{ servers = ["::"]; }]; |
96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | 96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; |
97 | } | 97 | } |
98 | { name = "dmz01"; | ||
99 | advertise = true; | ||
100 | verbose = true; | ||
101 | prefix = [{ prefix = "::/64"; }]; | ||
102 | route = [{ prefix = "::/0"; }]; | ||
103 | rdnss = [{ servers = ["::"]; }]; | ||
104 | } | ||
98 | ]; | 105 | ]; |
99 | 106 | ||
100 | debug = { | 107 | debug = { |
@@ -114,6 +121,11 @@ in { | |||
114 | interface = "lan"; | 121 | interface = "lan"; |
115 | network = "::/0"; | 122 | network = "::/0"; |
116 | }; | 123 | }; |
124 | dmz01 = { | ||
125 | method = "iface"; | ||
126 | interface = "dmz01"; | ||
127 | network = "::/0"; | ||
128 | }; | ||
117 | }; | 129 | }; |
118 | }; | 130 | }; |
119 | }; | 131 | }; |
@@ -156,7 +168,7 @@ in { | |||
156 | ''; | 168 | ''; |
157 | 169 | ||
158 | postStop = '' | 170 | postStop = '' |
159 | for dev in lan; do | 171 | for dev in lan dmz01; do |
160 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" | 172 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" |
161 | done | 173 | done |
162 | ''; | 174 | ''; |
@@ -181,6 +193,7 @@ in { | |||
181 | iaid 1195061668 | 193 | iaid 1195061668 |
182 | ipv6rs # enable routing solicitation for WAN adapter | 194 | ipv6rs # enable routing solicitation for WAN adapter |
183 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | 195 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN |
196 | ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 | ||
184 | 197 | ||
185 | reboot 0 | 198 | reboot 0 |
186 | 199 | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 0a70da39..fb04e449 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -80,7 +80,6 @@ table inet filter { | |||
80 | counter dns-rx {} | 80 | counter dns-rx {} |
81 | counter wg-rx {} | 81 | counter wg-rx {} |
82 | counter yggdrasil-gre-rx {} | 82 | counter yggdrasil-gre-rx {} |
83 | counter wifibh-gre-rx {} | ||
84 | counter ipv6-pd-rx {} | 83 | counter ipv6-pd-rx {} |
85 | counter ntp-rx {} | 84 | counter ntp-rx {} |
86 | counter dhcp-rx {} | 85 | counter dhcp-rx {} |
@@ -107,7 +106,6 @@ table inet filter { | |||
107 | counter dns-tx {} | 106 | counter dns-tx {} |
108 | counter wg-tx {} | 107 | counter wg-tx {} |
109 | counter yggdrasil-gre-tx {} | 108 | counter yggdrasil-gre-tx {} |
110 | counter wifibh-gre-tx {} | ||
111 | counter ipv6-pd-tx {} | 109 | counter ipv6-pd-tx {} |
112 | counter ntp-tx {} | 110 | counter ntp-tx {} |
113 | counter dhcp-tx {} | 111 | counter dhcp-tx {} |
@@ -138,7 +136,8 @@ table inet filter { | |||
138 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept | 136 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept |
139 | 137 | ||
140 | iifname lan oifname dsl counter name fw-lan accept | 138 | iifname lan oifname dsl counter name fw-lan accept |
141 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | 139 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept |
140 | |||
142 | 141 | ||
143 | 142 | ||
144 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 143 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
@@ -166,19 +165,18 @@ table inet filter { | |||
166 | iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept |
167 | iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept |
168 | 167 | ||
169 | iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept |
170 | iifname { lan, mgmt } udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept |
171 | 170 | ||
172 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
173 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
174 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 173 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept |
175 | iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept | ||
176 | 174 | ||
177 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 175 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
178 | 176 | ||
179 | iifname mgmt udp dport 123 counter name ntp-rx accept | 177 | iifname mgmt udp dport 123 counter name ntp-rx accept |
180 | 178 | ||
181 | iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept | 179 | iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept |
182 | 180 | ||
183 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 181 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept |
184 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 182 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
@@ -217,7 +215,6 @@ table inet filter { | |||
217 | meta protocol ip udp sport 51820 counter name wg-tx | 215 | meta protocol ip udp sport 51820 counter name wg-tx |
218 | meta protocol ip6 udp sport 51821 counter name wg-tx | 216 | meta protocol ip6 udp sport 51821 counter name wg-tx |
219 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | 217 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx |
220 | iifname wifibh meta l4proto gre counter name wifibh-gre-tx | ||
221 | 218 | ||
222 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx | 219 | meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx |
223 | 220 | ||
@@ -238,40 +235,6 @@ table inet filter { | |||
238 | } | 235 | } |
239 | } | 236 | } |
240 | 237 | ||
241 | table bridge filter { | ||
242 | counter invalid-fw {} | ||
243 | counter wifibh-fw {} | ||
244 | counter lan-fw {} | ||
245 | |||
246 | chain forward { | ||
247 | type filter hook forward priority filter | ||
248 | policy drop | ||
249 | |||
250 | |||
251 | log level debug prefix "bridge forward: " | ||
252 | |||
253 | |||
254 | ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop | ||
255 | |||
256 | iifname "wifibh01.lan" counter name wifibh-fw accept | ||
257 | iifname "eno2.lan" counter name lan-fw accept | ||
258 | } | ||
259 | |||
260 | chain input { | ||
261 | type filter hook input priority filter | ||
262 | policy accept | ||
263 | |||
264 | log level debug prefix "bridge input: " | ||
265 | } | ||
266 | |||
267 | chain output { | ||
268 | type filter hook output priority filter | ||
269 | policy accept | ||
270 | |||
271 | log level debug prefix "bridge output: " | ||
272 | } | ||
273 | } | ||
274 | |||
275 | table ip nat { | 238 | table ip nat { |
276 | counter dsl-nat {} | 239 | counter dsl-nat {} |
277 | 240 | ||