summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r--hosts/vidhar/network/default.nix39
-rw-r--r--hosts/vidhar/network/dhcp/default.nix6
-rw-r--r--hosts/vidhar/network/gpon.nix271
-rw-r--r--hosts/vidhar/network/no-double-timeout.patch13
-rw-r--r--hosts/vidhar/network/pap-secrets26
-rw-r--r--hosts/vidhar/network/pppoe.nix145
-rw-r--r--hosts/vidhar/network/ruleset.nft85
7 files changed, 236 insertions, 349 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 92d755f3..02a8d648 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,9 +1,9 @@
1{ pkgs, lib, ... }: 1{ pkgs, lib, config, ... }:
2 2
3with lib; 3with lib;
4 4
5{ 5{
6 imports = [ ./gpon.nix ./bifrost ./dhcp ]; 6 imports = [ ./pppoe.nix ./bifrost ./dhcp ];
7 7
8 config = { 8 config = {
9 networking = { 9 networking = {
@@ -61,7 +61,9 @@ with lib;
61 firewall.enable = false; 61 firewall.enable = false;
62 nftables = { 62 nftables = {
63 enable = true; 63 enable = true;
64 rulesetFile = ./ruleset.nft; 64 rulesetFile = pkgs.replaceVars ./ruleset.nft {
65 inherit (config.networking) pppInterface;
66 };
65 }; 67 };
66 68
67 resolvconf = { 69 resolvconf = {
@@ -76,16 +78,29 @@ with lib;
76 78
77 environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds"; 79 environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds";
78 80
79 systemd.network.networks = { 81 systemd.network = {
80 "eno1" = { 82 networks = {
81 matchConfig.Name = "eno1"; 83 "eno1" = {
82 linkConfig = { 84 matchConfig.Name = "eno1";
83 ActivationPolicy = "down"; 85 linkConfig = {
86 ActivationPolicy = "down";
87 };
88 };
89 "eno2" = {
90 matchConfig.Name = "eno2";
91 networkConfig.LinkLocalAddressing = "no";
92 };
93 "40-lan" = {
94 matchConfig.Name = "lan";
95 networkConfig = {
96 IPv6SendRA = true;
97 DHCPPrefixDelegation = true;
98 };
99 ipv6SendRAConfig = {
100 DNS = "_link_local";
101 Domains = ["lan.yggdrasil" "yggdrasil"];
102 };
84 }; 103 };
85 };
86 "eno2" = {
87 matchConfig.Name = "eno2";
88 networkConfig.LinkLocalAddressing = "no";
89 }; 104 };
90 }; 105 };
91 106
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 11460393..eda27663 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -349,7 +349,7 @@ in {
349 goto start 349 goto start
350 350
351 :memtest 351 :memtest
352 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 352 chain --autofree mt86plus.efi
353 goto start 353 goto start
354 ''} $out/installer-${system}.menu.ipxe 354 ''} $out/installer-${system}.menu.ipxe
355 ''))) 355 '')))
@@ -360,7 +360,7 @@ in {
360 mkdir $out 360 mkdir $out
361 install -m 0444 -t $out \ 361 install -m 0444 -t $out \
362 ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \ 362 ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
363 ${pkgs.memtest86plus}/{memtest.efi,memtest.bin} 363 ${pkgs.memtest86plus}/mt86plus.efi
364 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi 364 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
365 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn 365 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
366 '') 366 '')
@@ -411,7 +411,7 @@ in {
411 goto start 411 goto start
412 412
413 :memtest 413 :memtest
414 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 414 chain --autofree mt86plus.efi
415 goto start 415 goto start
416 ''} $out/eostre.menu.ipxe 416 ''} $out/eostre.menu.ipxe
417 ''))) 417 '')))
diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix
deleted file mode 100644
index 1628159c..00000000
--- a/hosts/vidhar/network/gpon.nix
+++ /dev/null
@@ -1,271 +0,0 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 pppInterface = config.networking.pppInterface;
7in {
8 options = {
9 networking.pppInterface = mkOption {
10 type = types.str;
11 default = "gpon";
12 };
13 };
14
15 config = {
16 networking.vlans = {
17 telekom = {
18 id = 7;
19 interface = "eno2";
20 };
21 };
22
23 services.pppd = {
24 enable = true;
25 peers.telekom.config = ''
26 nodefaultroute
27 ifname ${pppInterface}
28 lcp-echo-adaptive
29 lcp-echo-failure 5
30 lcp-echo-interval 1
31 maxfail 0
32 mtu 1492
33 mru 1492
34 plugin pppoe.so
35 name telekom
36 user 002576900250551137425220#0001@t-online.de
37 nic-telekom
38 debug
39 +ipv6
40 '';
41 };
42 systemd.services."pppd-telekom" = {
43 stopIfChanged = true;
44
45 serviceConfig = {
46 PIDFile = "/run/pppd/${pppInterface}.pid";
47 };
48 restartTriggers = with config; [
49 environment.etc."ppp/ip-pre-up".source
50 environment.etc."ppp/ip-up".source
51 environment.etc."ppp/ip-down".source
52 # sops.secrets."pap-secrets".sopsFile
53 ];
54 };
55 sops.secrets."pap-secrets" = {
56 format = "binary";
57 sopsFile = ./pap-secrets;
58 path = "/etc/ppp/pap-secrets";
59 };
60
61 environment.etc = {
62 "ppp/ip-pre-up".source = let
63 app = pkgs.writeShellApplication {
64 name = "ip-pre-up";
65 runtimeInputs = with pkgs; [ iproute2 ethtool ];
66 text = ''
67 ethtool -K telekom tso off gso off gro off
68
69 ip link del "ifb4${pppInterface}" || true
70 ip link add name "ifb4${pppInterface}" type ifb
71 ip link set "ifb4${pppInterface}" up
72
73 tc qdisc del dev "ifb4${pppInterface}" root || true
74 tc qdisc del dev "${pppInterface}" ingress || true
75 tc qdisc del dev "${pppInterface}" root || true
76
77 tc qdisc add dev "${pppInterface}" handle ffff: ingress
78 tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}"
79 tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit
80 tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit
81 '';
82 };
83 in "${app}/bin/${app.meta.mainProgram}";
84 "ppp/ip-up".source = let
85 app = pkgs.writeShellApplication {
86 name = "ip-up";
87 runtimeInputs = with pkgs; [ iproute2 ];
88 text = ''
89 ip route add default via "$5" dev "${pppInterface}" metric 512
90 '';
91 };
92 in "${app}/bin/${app.meta.mainProgram}";
93 "ppp/ip-down".source = let
94 app = pkgs.writeShellApplication {
95 name = "ip-down";
96 runtimeInputs = with pkgs; [ iproute2 ];
97 text = ''
98 ip link del "ifb4${pppInterface}"
99 '';
100 };
101 in "${app}/bin/${app.meta.mainProgram}";
102 };
103
104 systemd.network.networks.${pppInterface} = {
105 matchConfig = {
106 Name = pppInterface;
107 };
108 dns = [ "::1" "127.0.0.1" ];
109 domains = [ "~." ];
110 networkConfig = {
111 LinkLocalAddressing = "no";
112 DNSSEC = true;
113 };
114 };
115
116 services.corerad = {
117 enable = true;
118 settings = {
119 interfaces = [
120 { name = pppInterface;
121 monitor = true;
122 verbose = true;
123 }
124 { name = "lan";
125 advertise = true;
126 verbose = true;
127 prefix = [{ prefix = "::/64"; }];
128 route = [{ prefix = "::/0"; }];
129 rdnss = [{ servers = ["::"]; }];
130 dnssl = [{ domain_names = ["yggdrasil"]; }];
131 # other_config = true;
132 }
133 ];
134
135 debug = {
136 address = "localhost:9430";
137 prometheus = true;
138 };
139 };
140 };
141 services.ndppd = {
142 enable = true;
143 proxies = {
144 ${pppInterface} = {
145 router = true;
146 rules = {
147 lan = {
148 method = "iface";
149 interface = "lan";
150 network = "::/0";
151 };
152 };
153 };
154 };
155 };
156 boot.kernelModules = [ "ifb" ];
157 boot.kernel.sysctl = {
158 "net.ipv6.conf.all.forwarding" = true;
159 "net.ipv6.conf.default.forwarding" = true;
160 "net.ipv4.conf.all.forwarding" = true;
161 "net.ipv4.conf.default.forwarding" = true;
162
163 "net.core.rmem_max" = 4194304;
164 "net.core.wmem_max" = 4194304;
165 };
166 systemd.services."pppd-telekom" = {
167 bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
168 after = [ "sys-subsystem-net-devices-telekom.device" ];
169 };
170 systemd.services."dhcpcd-${pppInterface}" = {
171 wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
172 bindsTo = [ "pppd-telekom.service" ];
173 after = [ "pppd-telekom.service" ];
174 wants = [ "network.target" ];
175 before = [ "network-online.target" ];
176
177 path = with pkgs; [ dhcpcd nettools openresolv ];
178 unitConfig.ConditionCapability = "CAP_NET_ADMIN";
179
180 stopIfChanged = true;
181
182 preStart = ''
183 i=0
184
185 while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do
186 ${pkgs.coreutils}/bin/sleep 0.1
187 i=$((i + 1))
188 if [[ "$i" -ge 10 ]]; then
189 exit 1
190 fi
191 done
192 '';
193
194 postStop = ''
195 for dev in lan; do
196 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
197 done
198 '';
199
200 serviceConfig = let
201 dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
202 duid
203 vendorclassid
204 ipv6only
205
206 nooption domain_name_servers, domain_name, domain_search
207 option classless_static_routes
208 option interface_mtu
209
210 option host_name
211 option rapid_commit
212 require dhcp_server_identifier
213 slaac private
214
215 nohook resolv.conf
216 ipv6ra_autoconf
217 iaid 1195061668
218 ipv6rs # enable routing solicitation for WAN adapter
219 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
220
221 reboot 0
222
223 waitip 6
224 '';
225 in {
226 Type = "forking";
227 PIDFile = "/var/run/dhcpcd/${pppInterface}.pid";
228 RuntimeDirectory = "dhcpcd";
229 ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}";
230 ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}";
231 Restart = "always";
232 RestartSec = "5";
233 };
234 };
235 systemd.services.ndppd = {
236 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
237 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
238 after = [ "dhcpcd-${pppInterface}.service" ];
239
240 serviceConfig = {
241 Restart = "always";
242 RestartSec = "5";
243 };
244 };
245 systemd.services.corerad = {
246 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
247 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
248 after = [ "dhcpcd-${pppInterface}.service" ];
249
250 serviceConfig = {
251 Restart = lib.mkForce "always";
252 RestartSec = "5";
253 };
254 };
255 users.users.dhcpcd = {
256 isSystemUser = true;
257 group = "dhcpcd";
258 };
259 users.groups.dhcpcd = {};
260
261 systemd.services.unbound = {
262 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
263 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
264 after = [ "dhcpcd-${pppInterface}.service" ];
265
266 serviceConfig = {
267 Restart = lib.mkForce "always";
268 };
269 };
270 };
271}
diff --git a/hosts/vidhar/network/no-double-timeout.patch b/hosts/vidhar/network/no-double-timeout.patch
new file mode 100644
index 00000000..53f41ae1
--- /dev/null
+++ b/hosts/vidhar/network/no-double-timeout.patch
@@ -0,0 +1,13 @@
1diff --git i/pppd/plugins/pppoe/discovery.c w/pppd/plugins/pppoe/discovery.c
2index 86bda61..8060558 100644
3--- i/pppd/plugins/pppoe/discovery.c
4+++ w/pppd/plugins/pppoe/discovery.c
5@@ -686,7 +686,7 @@ discovery1(PPPoEConnection *conn, int waitWholeTimeoutForPADO)
6 conn->discoveryState = STATE_SENT_PADI;
7 waitForPADO(conn, timeout, waitWholeTimeoutForPADO);
8
9- timeout *= 2;
10+ // timeout *= 2;
11 } while (conn->discoveryState == STATE_SENT_PADI);
12 }
13
diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets
deleted file mode 100644
index 3516de6c..00000000
--- a/hosts/vidhar/network/pap-secrets
+++ /dev/null
@@ -1,26 +0,0 @@
1{
2 "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTFaTDZRbDd6cFBRSTNN\nVk1kcFJXRG9TT21IMDZsVmtoZjBTNDNjeDFzCkhxNEI2Ujd6SW1STG43eE5EdzZa\nS3phenJZN0RxajBXQ1BnbUhTa3htdFEKLS0tIGVlT3lReHJSQ2UvQ1FST0M0RzVP\nNmxWNzJmNlFPclJTeDUycDJiUzA4Yk0K4JHtkEPY49TGnKPZzEoEZ131RxeQEWkR\nK1ftH2ilr2tUhiErhpqxoTqfAm33xvruqTsePxh1uC7svzKtKBlS2g==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2021-11-15T08:30:09Z",
15 "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-01-30T10:58:50Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+cwEt6Gv5oKvym4ceJek+J/5guNpmsLLXWIY5CCCSXUw\npXyQpqxm7LQnasIqYNNsNCVbB1mAu6WU6MKn0BG03YWjr8buLB+7PpwZcxeZzRfD\n0l4BAsl+vKwa2YSMCR+EWYSfeEzEVHqoGBJ60dYXuiFiNZInCik+g69PdhsGygNH\nRtIcRiCB8t94GkvdWySTq5ohi1wKOe224l9evbt4zXntVngCHxixuufLrr3Cj+EE\n=3lw4\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix
new file mode 100644
index 00000000..7b342b69
--- /dev/null
+++ b/hosts/vidhar/network/pppoe.nix
@@ -0,0 +1,145 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 inherit (config.networking) pppInterface;
7in {
8 options = {
9 networking.pppInterface = mkOption {
10 type = types.str;
11 default = "ppp";
12 };
13 };
14
15 config = {
16 networking.vlans = {
17 telekom = {
18 id = 7;
19 interface = "eno2";
20 };
21 };
22
23 services.pppd = {
24 enable = true;
25 package = pkgs.ppp.overrideAttrs (oldAttrs: {
26 patches = (oldAttrs.patches or []) ++ [
27 ./no-double-timeout.patch
28 ];
29 });
30 peers.telekom.config = ''
31 nodefaultroute
32 ifname ${pppInterface}
33 lcp-echo-adaptive
34 lcp-echo-failure 10
35 lcp-echo-interval 1
36 maxfail 0
37 mtu 1492
38 mru 1492
39 plugin pppoe.so
40 pppoe-padi-timeout 1
41 pppoe-padi-attempts 10
42 user congstar
43 password congstar
44 nic-telekom
45 debug
46 +ipv6
47 '';
48 };
49 systemd.services."pppd-telekom" = {
50 stopIfChanged = true;
51
52 serviceConfig = {
53 Type = lib.mkForce "notify";
54 ExecStart = lib.mkForce "${getBin config.services.pppd.package}/sbin/pppd call telekom up_sdnotify nolog";
55 PIDFile = "/run/pppd/${pppInterface}.pid";
56 };
57 restartTriggers = with config; [
58 environment.etc."ppp/ip-pre-up".source
59 environment.etc."ppp/ip-up".source
60 environment.etc."ppp/ip-down".source
61 ];
62 };
63
64 environment.etc = {
65 "ppp/ip-pre-up".source = pkgs.resholve.writeScript "ip-pre-up" {
66 interpreter = pkgs.runtimeShell;
67 inputs = [ pkgs.iproute2 pkgs.ethtool ];
68 execer = [
69 "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
70 "cannot:${lib.getExe' pkgs.iproute2 "tc"}"
71 ];
72 } ''
73 ethtool -K telekom tso off gso off gro off
74
75 ip link del "ifb4$1" || true
76 ip link add name "ifb4$1" type ifb
77 ip link set "ifb4$1" up
78
79 tc qdisc del dev "ifb4$1" root || true
80 tc qdisc del dev "$1" ingress || true
81 tc qdisc del dev "$1" root || true
82
83 tc qdisc add dev "$1" handle ffff: ingress
84 tc filter add dev "$1" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4$1"
85 tc qdisc replace dev "ifb4$1" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (177968 * 0.95))}kbit
86 tc qdisc replace dev "$1" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (41216 * 0.95))}kbit
87 '';
88 "ppp/ip-up".source = pkgs.resholve.writeScript "ip-up" {
89 interpreter = pkgs.runtimeShell;
90 inputs = [ pkgs.iproute2 ];
91 execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
92 } ''
93 ip addr add "$4" peer "$5"/32 dev "$1"
94 ip route add default dev "$1" metric 512
95 '';
96 "ppp/ip-down".source = pkgs.resholve.writeScript "ip-down" {
97 interpreter = pkgs.runtimeShell;
98 inputs = [ pkgs.iproute2 ];
99 execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
100 } ''
101 ip link del "ifb4$1"
102 '';
103 };
104
105 systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
106 patches = (oldAttrs.patches or []) ++ [
107 (pkgs.fetchpatch {
108 url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
109 hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
110 })
111 ];
112 });
113
114 systemd.network.networks = {
115 "40-${pppInterface}" = {
116 matchConfig.Name = pppInterface;
117 dns = [ "::1" "127.0.0.1" ];
118 domains = [ "~." ];
119 networkConfig = {
120 DHCP = true;
121 DNSSEC = true;
122 };
123 dhcpV6Config = {
124 PrefixDelegationHint = "::/64";
125 WithoutRA = "solicit";
126 };
127 };
128 };
129
130 boot.kernelModules = [ "ifb" ];
131 boot.kernel.sysctl = {
132 "net.ipv6.conf.all.forwarding" = true;
133 "net.ipv6.conf.default.forwarding" = true;
134 "net.ipv4.conf.all.forwarding" = true;
135 "net.ipv4.conf.default.forwarding" = true;
136
137 "net.core.rmem_max" = 4194304;
138 "net.core.wmem_max" = 4194304;
139 };
140 systemd.services."pppd-telekom" = {
141 bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
142 after = [ "sys-subsystem-net-devices-telekom.device" ];
143 };
144 };
145}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7897fb3d..5df73e2f 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -5,15 +5,15 @@ table arp filter {
5 limit lim_arp_local { 5 limit lim_arp_local {
6 rate over 50 mbytes/second burst 50 mbytes 6 rate over 50 mbytes/second burst 50 mbytes
7 } 7 }
8 limit lim_arp_gpon { 8 limit lim_arp_ppp {
9 rate over 7500 kbytes/second burst 7500 kbytes 9 rate over 7500 kbytes/second burst 7500 kbytes
10 } 10 }
11 11
12 counter arp-rx {} 12 counter arp-rx {}
13 counter arp-tx {} 13 counter arp-tx {}
14 14
15 counter arp-ratelimit-gpon-rx {} 15 counter arp-ratelimit-ppp-rx {}
16 counter arp-ratelimit-gpon-tx {} 16 counter arp-ratelimit-ppp-tx {}
17 17
18 counter arp-ratelimit-local-rx {} 18 counter arp-ratelimit-local-rx {}
19 counter arp-ratelimit-local-tx {} 19 counter arp-ratelimit-local-tx {}
@@ -22,8 +22,8 @@ table arp filter {
22 type filter hook input priority filter 22 type filter hook input priority filter
23 policy accept 23 policy accept
24 24
25 iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop 25 iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
26 iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop 26 iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
27 27
28 counter name arp-rx 28 counter name arp-rx
29 } 29 }
@@ -32,8 +32,8 @@ table arp filter {
32 type filter hook output priority filter 32 type filter hook output priority filter
33 policy accept 33 policy accept
34 34
35 oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop 35 oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
36 oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop 36 oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
37 37
38 counter name arp-tx 38 counter name arp-tx
39 } 39 }
@@ -47,11 +47,11 @@ table inet filter {
47 limit lim_icmp_local { 47 limit lim_icmp_local {
48 rate over 50 mbytes/second burst 50 mbytes 48 rate over 50 mbytes/second burst 50 mbytes
49 } 49 }
50 limit lim_icmp_gpon { 50 limit lim_icmp_ppp {
51 rate over 7500 kbytes/second burst 7500 kbytes 51 rate over 7500 kbytes/second burst 7500 kbytes
52 } 52 }
53 53
54 counter icmp-ratelimit-gpon-fw {} 54 counter icmp-ratelimit-ppp-fw {}
55 counter icmp-ratelimit-local-fw {} 55 counter icmp-ratelimit-local-fw {}
56 56
57 counter icmp-fw {} 57 counter icmp-fw {}
@@ -59,8 +59,9 @@ table inet filter {
59 counter invalid-fw {} 59 counter invalid-fw {}
60 counter fw-lo {} 60 counter fw-lo {}
61 counter fw-lan {} 61 counter fw-lan {}
62 counter fw-gpon {} 62 counter fw-ppp {}
63 counter fw-kimai {} 63 counter fw-kimai {}
64 counter fw-podman {}
64 65
65 counter fw-cups {} 66 counter fw-cups {}
66 67
@@ -75,7 +76,7 @@ table inet filter {
75 counter invalid-local4-rx {} 76 counter invalid-local4-rx {}
76 counter invalid-local6-rx {} 77 counter invalid-local6-rx {}
77 78
78 counter icmp-ratelimit-gpon-rx {} 79 counter icmp-ratelimit-ppp-rx {}
79 counter icmp-ratelimit-local-rx {} 80 counter icmp-ratelimit-local-rx {}
80 counter icmp-rx {} 81 counter icmp-rx {}
81 82
@@ -97,6 +98,8 @@ table inet filter {
97 counter hledger-rx {} 98 counter hledger-rx {}
98 counter audiobookshelf-rx {} 99 counter audiobookshelf-rx {}
99 counter kimai-rx {} 100 counter kimai-rx {}
101 counter changedetection-rx {}
102 counter vikunja-rx {}
100 103
101 counter established-rx {} 104 counter established-rx {}
102 105
@@ -108,7 +111,7 @@ table inet filter {
108 111
109 counter tx-lo {} 112 counter tx-lo {}
110 113
111 counter icmp-ratelimit-gpon-tx {} 114 counter icmp-ratelimit-ppp-tx {}
112 counter icmp-ratelimit-local-tx {} 115 counter icmp-ratelimit-local-tx {}
113 counter icmp-tx {} 116 counter icmp-tx {}
114 117
@@ -130,15 +133,17 @@ table inet filter {
130 counter hledger-tx {} 133 counter hledger-tx {}
131 counter audiobookshelf-tx {} 134 counter audiobookshelf-tx {}
132 counter kimai-tx {} 135 counter kimai-tx {}
136 counter changedetection-tx {}
137 counter vikunja-tx {}
133 138
134 counter tx {} 139 counter tx {}
135 140
136 141
137 chain forward_icmp_accept { 142 chain forward_icmp_accept {
138 oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 143 oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
139 iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 144 iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
140 oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 145 oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
141 iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 146 iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
142 counter name icmp-fw accept 147 counter name icmp-fw accept
143 } 148 }
144 chain forward { 149 chain forward {
@@ -151,12 +156,14 @@ table inet filter {
151 156
152 iifname lo counter name fw-lo accept 157 iifname lo counter name fw-lo accept
153 158
154 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 159 oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
155 iifname lan oifname { gpon, bifrost } counter name fw-lan accept 160 iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
156 iifname ve-kimai oifname gpon counter name fw-kimai accept 161 iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
162 iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
157 163
158 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept 164 iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
159 iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept 165 iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
166 iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
160 167
161 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept 168 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
162 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept 169 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
@@ -180,22 +187,22 @@ table inet filter {
180 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 187 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
181 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject 188 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
182 189
183 iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop 190 iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
184 iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 191 iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
185 meta l4proto $icmp_protos counter name icmp-rx accept 192 meta l4proto $icmp_protos counter name icmp-rx accept
186 193
187 iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 194 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
188 iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 195 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
189 196
190 iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 197 iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
191 198
192 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 199 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
193 200
194 iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept 201 iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
195 iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept 202 iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
196 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 203 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
197 204
198 iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 205 iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
199 206
200 iifname mgmt udp dport 123 counter name ntp-rx accept 207 iifname mgmt udp dport 123 counter name ntp-rx accept
201 208
@@ -214,6 +221,8 @@ table inet filter {
214 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept 221 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
215 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept 222 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
216 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept 223 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
224 iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
225 iifname bifrost tcp dport 3456 ip6 saddr $bifrost_surtr counter name vikunja-rx accept
217 226
218 ct state { established, related } counter name established-rx accept 227 ct state { established, related } counter name established-rx accept
219 228
@@ -231,8 +240,8 @@ table inet filter {
231 240
232 oifname lo counter name tx-lo accept 241 oifname lo counter name tx-lo accept
233 242
234 oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop 243 oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
235 oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop 244 oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
236 meta l4proto $icmp_protos counter name icmp-tx accept 245 meta l4proto $icmp_protos counter name icmp-tx accept
237 246
238 247
@@ -266,6 +275,8 @@ table inet filter {
266 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept 275 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
267 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept 276 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
268 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept 277 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
278 iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
279 iifname bifrost tcp sport 3456 ip6 daddr $bifrost_surtr counter name vikunja-tx accept
269 280
270 281
271 counter name tx 282 counter name tx
@@ -273,7 +284,7 @@ table inet filter {
273} 284}
274 285
275table inet nat { 286table inet nat {
276 counter gpon-nat {} 287 counter ppp-nat {}
277 counter kimai-nat {} 288 counter kimai-nat {}
278 289
279 chain postrouting { 290 chain postrouting {
@@ -281,20 +292,20 @@ table inet nat {
281 policy accept 292 policy accept
282 293
283 294
284 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade 295 meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
285 iifname ve-kimai oifname gpon counter name kimai-nat masquerade 296 iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
286 } 297 }
287} 298}
288 299
289table inet mss_clamp { 300table inet mss_clamp {
290 counter gpon-mss-clamp {} 301 counter ppp-mss-clamp {}
291 302
292 chain postrouting { 303 chain postrouting {
293 type filter hook postrouting priority mangle 304 type filter hook postrouting priority mangle
294 policy accept 305 policy accept
295 306
296 307
297 oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu 308 oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
298 } 309 }
299} 310}
300 311
@@ -429,7 +440,7 @@ table inet dscpclassify {
429 chain postrouting { 440 chain postrouting {
430 type filter hook postrouting priority filter + 1; policy accept 441 type filter hook postrouting priority filter + 1; policy accept
431 442
432 oifname != gpon return 443 oifname != @pppInterface@ return
433 444
434 ip dscp cs0 goto ct_set_cs0 445 ip dscp cs0 goto ct_set_cs0
435 ip dscp lephb goto ct_set_lephb 446 ip dscp lephb goto ct_set_lephb
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-24 06:35:57 +0000