summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r--hosts/vidhar/network/default.nix17
-rw-r--r--hosts/vidhar/network/dhcp/default.nix221
-rw-r--r--hosts/vidhar/network/gpon.nix271
-rw-r--r--hosts/vidhar/network/no-double-timeout.patch13
-rw-r--r--hosts/vidhar/network/pap-secrets26
-rw-r--r--hosts/vidhar/network/pppoe.nix301
-rw-r--r--hosts/vidhar/network/ruleset.nft106
7 files changed, 567 insertions, 388 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 0643f0bb..6fcef9d8 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,9 +1,9 @@
1{ pkgs, lib, ... }: 1{ pkgs, lib, config, ... }:
2 2
3with lib; 3with lib;
4 4
5{ 5{
6 imports = [ ./gpon.nix ./bifrost ./dhcp ]; 6 imports = [ ./pppoe.nix ./bifrost ./dhcp ];
7 7
8 config = { 8 config = {
9 networking = { 9 networking = {
@@ -61,7 +61,9 @@ with lib;
61 firewall.enable = false; 61 firewall.enable = false;
62 nftables = { 62 nftables = {
63 enable = true; 63 enable = true;
64 rulesetFile = ./ruleset.nft; 64 rulesetFile = pkgs.replaceVars ./ruleset.nft {
65 inherit (config.networking) pppInterface;
66 };
65 }; 67 };
66 68
67 resolvconf = { 69 resolvconf = {
@@ -103,7 +105,14 @@ with lib;
103 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) 105 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
104 ''; 106 '';
105 }; 107 };
106 settings.nfsd.vers3 = false; 108 settings.nfsd = {
109 rdma = true;
110 vers3 = false;
111 vers4 = true;
112 "vers4.0" = false;
113 "vers4.1" = false;
114 "vers4.2" = true;
115 };
107 }; 116 };
108 117
109 fileSystems = { 118 fileSystems = {
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 07a83351..eda27663 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -1,8 +1,33 @@
1{ flake, config, pkgs, lib, ... }: 1{ flake, config, pkgs, lib, sources, ... }:
2 2
3with lib; 3with lib;
4 4
5{ 5let
6 nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";
7 tftpIp = "10.141.0.1";
8 nfsIp = tftpIp;
9 ipxe = pkgs.ipxe.override {
10 additionalTargets = {
11 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
12 };
13 additionalOptions = [
14 "NSLOOKUP_CMD"
15 "PING_CMD"
16 "CONSOLE_CMD"
17 ];
18 embedScript = pkgs.writeText "yggdrasil.ipxe" ''
19 #!ipxe
20
21 cpair --background 9 1
22 cpair --background 9 3
23 cpair --background 9 6
24
25 set user-class iPXE-yggdrasil
26
27 autoboot
28 '';
29 };
30in {
6 config = { 31 config = {
7 services.kea = { 32 services.kea = {
8 dhcp4 = { 33 dhcp4 = {
@@ -23,41 +48,67 @@ with lib;
23 }; 48 };
24 49
25 client-classes = [ 50 client-classes = [
26 { name = "eostre-ipxe"; 51 { name = "ipxe-eostre";
27 test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'"; 52 test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE-yggdrasil'";
28 next-server = "10.141.0.1"; 53 next-server = tftpIp;
29 boot-file-name = "http://nfsroot.vidhar.yggdrasil/eostre/netboot.ipxe"; 54 boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe";
55 only-if-required = true;
56 }
57 { name = "ipxe-yggdrasil";
58 test = "option[77].hex == 'iPXE-yggdrasil'";
59 next-server = tftpIp;
60 boot-file-name = "${nfsrootBaseUrl}/installer-x86_64-linux.menu.ipxe";
61 only-if-required = true;
62 }
63
64 { name = "uefi-http";
65 test = "option[client-system].hex == 0x0010";
66 option-data = [
67 { name = "vendor-class-identifier"; data = "HTTPClient"; }
68 ];
69 boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
70 only-if-required = true;
71 }
72
73 { name = "ipxe-uefi-64";
74 test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009')";
75 boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
76 only-if-required = true;
77 }
78 { name = "ipxe-uefi-32";
79 test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006')";
80 boot-file-name = "${nfsrootBaseUrl}/i386-ipxe.efi";
30 only-if-required = true; 81 only-if-required = true;
31 } 82 }
32 { name = "ipxe"; 83 { name = "ipxe-legacy";
33 test = "option[77].hex == 'iPXE'"; 84 test = "option[77].hex == 'iPXE' and substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
34 next-server = "10.141.0.1"; 85 boot-file-name = "${nfsrootBaseUrl}/ipxe.lkrn";
35 boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe";
36 only-if-required = true; 86 only-if-required = true;
37 } 87 }
88
38 { name = "uefi-64"; 89 { name = "uefi-64";
39 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'"; 90 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
40 only-if-required = true;
41 option-data = [ 91 option-data = [
42 { name = "tftp-server-name"; data = "10.141.0.1"; } 92 { name = "tftp-server-name"; data = tftpIp; }
43 ]; 93 ];
44 boot-file-name = "ipxe.efi"; 94 boot-file-name = "ipxe.efi";
95 only-if-required = true;
45 } 96 }
46 { name = "uefi-32"; 97 { name = "uefi-32";
47 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'"; 98 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";
48 only-if-required = true;
49 option-data = [ 99 option-data = [
50 { name = "tftp-server-name"; data = "10.141.0.1"; } 100 { name = "tftp-server-name"; data = tftpIp; }
51 ]; 101 ];
52 boot-file-name = "i386-ipxe.efi"; 102 boot-file-name = "i386-ipxe.efi";
103 only-if-required = true;
53 } 104 }
54 { name = "legacy"; 105 { name = "legacy";
55 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'"; 106 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
56 only-if-required = true;
57 option-data = [ 107 option-data = [
58 { name = "tftp-server-name"; data = "10.141.0.1"; } 108 { name = "tftp-server-name"; data = tftpIp; }
59 ]; 109 ];
60 boot-file-name = "undionly.kpxe"; 110 boot-file-name = "ipxe.lkrn";
111 only-if-required = true;
61 } 112 }
62 ]; 113 ];
63 114
@@ -252,34 +303,78 @@ with lib;
252 name = "nfsroot.vidhar.yggdrasil"; 303 name = "nfsroot.vidhar.yggdrasil";
253 paths = 304 paths =
254 (map (system: 305 (map (system:
255 let 306 pkgs.symlinkJoin {
256 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { 307 name = "installer-${system}";
257 modules = [ 308 paths = [
258 ({ ... }: { 309 (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
259 config.nfsroot.storeDevice = "10.141.0.1:nix-store"; 310 installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
260 config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration"; 311 modules = [
261 }) 312 ({ ... }: {
262 ]; 313 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
263 }).config.system.build; 314 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
264 in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' 315 config.system.nixos.label = "installer-${system}";
265 mkdir -p $out/installer-${system} 316 })
266 install -m 0444 -t $out/installer-${system} \ 317 ];
267 ${installerBuild.initialRamdisk}/initrd \ 318 });
268 ${installerBuild.kernel}/bzImage \ 319 installerBuild = installerBuild'.config.system.build;
269 ${installerBuild.netbootIpxeScript}/netboot.ipxe \ 320 in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
270 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration 321 mkdir -p $out/installer-${system}
271 '') 322 install -m 0444 -t $out/installer-${system} \
272 ) ["x86_64-linux"] 323 ${installerBuild.initialRamdisk}/initrd \
324 ${installerBuild.kernel}/bzImage \
325 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
326 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
327 install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
328 #!ipxe
329
330 :start
331 menu iPXE boot menu for installer-${system}
332 item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
333 item memtest memtest86plus
334 item netboot netboot.xyz
335 item shell iPXE shell
336 choose --timeout 0 --default installer selected || goto shell
337 goto ''${selected}
338
339 :shell
340 shell
341 goto start
342
343 :installer
344 chain installer-${system}/netboot.ipxe
345 goto start
346
347 :netboot
348 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
349 goto start
350
351 :memtest
352 chain --autofree mt86plus.efi
353 goto start
354 ''} $out/installer-${system}.menu.ipxe
355 '')))
356 ];
357 }) ["x86_64-linux"]
273 ) ++ [ 358 ) ++ [
274 (let 359 (pkgs.runCommandLocal "utils" {} ''
275 eostreBuild = (flake.nixosConfigurations.eostre.extendModules { 360 mkdir $out
361 install -m 0444 -t $out \
362 ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
363 ${pkgs.memtest86plus}/mt86plus.efi
364 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
365 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
366 '')
367 (builtins.addErrorContext "while evaluating eostre" (let
368 eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
276 modules = [ 369 modules = [
277 ({ ... }: { 370 ({ ... }: {
278 config.nfsroot.storeDevice = "10.141.0.1:nix-store"; 371 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
279 config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eostre/registration"; 372 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
373 config.system.nixos.label = "eostre";
280 }) 374 })
281 ]; 375 ];
282 }).config.system.build; 376 });
377 eostreBuild = eostreBuild'.config.system.build;
283 in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' 378 in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
284 mkdir -p $out/eostre 379 mkdir -p $out/eostre
285 install -m 0444 -t $out/eostre \ 380 install -m 0444 -t $out/eostre \
@@ -287,7 +382,39 @@ with lib;
287 ${eostreBuild.kernel}/bzImage \ 382 ${eostreBuild.kernel}/bzImage \
288 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ 383 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
289 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration 384 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
290 '')) 385 install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
386 #!ipxe
387
388 set menu-timeout 5000
389
390 :start
391 menu iPXE boot menu for eostre
392 item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
393 item memtest memtest86plus
394 item netboot netboot.xyz
395 item shell iPXE shell
396 choose --timeout ''${menu-timeout} --default eostre selected || goto shell
397 set menu-timeout 0
398 goto ''${selected}
399
400 :shell
401 set menu-timeout 0
402 shell
403 goto start
404
405 :eostre
406 chain eostre/netboot.ipxe
407 goto start
408
409 :netboot
410 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
411 goto start
412
413 :memtest
414 chain --autofree mt86plus.efi
415 goto start
416 ''} $out/eostre.menu.ipxe
417 '')))
291 ]; 418 ];
292 }; 419 };
293 }; 420 };
@@ -298,20 +425,12 @@ with lib;
298 after = [ "network.target" ]; 425 after = [ "network.target" ];
299 wantedBy = [ "multi-user.target" ]; 426 wantedBy = [ "multi-user.target" ];
300 serviceConfig.ExecStart = let 427 serviceConfig.ExecStart = let
301 ipxe = pkgs.ipxe.override {
302 additionalTargets = {
303 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
304 };
305 additionalOptions = [
306 "NSLOOKUP_CMD"
307 ];
308 };
309 tftpRoot = pkgs.runCommandLocal "netboot" {} '' 428 tftpRoot = pkgs.runCommandLocal "netboot" {} ''
310 mkdir -p $out 429 mkdir -p $out
311 install -m 0444 -t $out \ 430 install -m 0444 -t $out \
312 ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe 431 ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn}
313 ''; 432 '';
314 in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; 433 in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=${tftpIp} ${tftpRoot}";
315 }; 434 };
316 }; 435 };
317} 436}
diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix
deleted file mode 100644
index 1628159c..00000000
--- a/hosts/vidhar/network/gpon.nix
+++ /dev/null
@@ -1,271 +0,0 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 pppInterface = config.networking.pppInterface;
7in {
8 options = {
9 networking.pppInterface = mkOption {
10 type = types.str;
11 default = "gpon";
12 };
13 };
14
15 config = {
16 networking.vlans = {
17 telekom = {
18 id = 7;
19 interface = "eno2";
20 };
21 };
22
23 services.pppd = {
24 enable = true;
25 peers.telekom.config = ''
26 nodefaultroute
27 ifname ${pppInterface}
28 lcp-echo-adaptive
29 lcp-echo-failure 5
30 lcp-echo-interval 1
31 maxfail 0
32 mtu 1492
33 mru 1492
34 plugin pppoe.so
35 name telekom
36 user 002576900250551137425220#0001@t-online.de
37 nic-telekom
38 debug
39 +ipv6
40 '';
41 };
42 systemd.services."pppd-telekom" = {
43 stopIfChanged = true;
44
45 serviceConfig = {
46 PIDFile = "/run/pppd/${pppInterface}.pid";
47 };
48 restartTriggers = with config; [
49 environment.etc."ppp/ip-pre-up".source
50 environment.etc."ppp/ip-up".source
51 environment.etc."ppp/ip-down".source
52 # sops.secrets."pap-secrets".sopsFile
53 ];
54 };
55 sops.secrets."pap-secrets" = {
56 format = "binary";
57 sopsFile = ./pap-secrets;
58 path = "/etc/ppp/pap-secrets";
59 };
60
61 environment.etc = {
62 "ppp/ip-pre-up".source = let
63 app = pkgs.writeShellApplication {
64 name = "ip-pre-up";
65 runtimeInputs = with pkgs; [ iproute2 ethtool ];
66 text = ''
67 ethtool -K telekom tso off gso off gro off
68
69 ip link del "ifb4${pppInterface}" || true
70 ip link add name "ifb4${pppInterface}" type ifb
71 ip link set "ifb4${pppInterface}" up
72
73 tc qdisc del dev "ifb4${pppInterface}" root || true
74 tc qdisc del dev "${pppInterface}" ingress || true
75 tc qdisc del dev "${pppInterface}" root || true
76
77 tc qdisc add dev "${pppInterface}" handle ffff: ingress
78 tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}"
79 tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit
80 tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit
81 '';
82 };
83 in "${app}/bin/${app.meta.mainProgram}";
84 "ppp/ip-up".source = let
85 app = pkgs.writeShellApplication {
86 name = "ip-up";
87 runtimeInputs = with pkgs; [ iproute2 ];
88 text = ''
89 ip route add default via "$5" dev "${pppInterface}" metric 512
90 '';
91 };
92 in "${app}/bin/${app.meta.mainProgram}";
93 "ppp/ip-down".source = let
94 app = pkgs.writeShellApplication {
95 name = "ip-down";
96 runtimeInputs = with pkgs; [ iproute2 ];
97 text = ''
98 ip link del "ifb4${pppInterface}"
99 '';
100 };
101 in "${app}/bin/${app.meta.mainProgram}";
102 };
103
104 systemd.network.networks.${pppInterface} = {
105 matchConfig = {
106 Name = pppInterface;
107 };
108 dns = [ "::1" "127.0.0.1" ];
109 domains = [ "~." ];
110 networkConfig = {
111 LinkLocalAddressing = "no";
112 DNSSEC = true;
113 };
114 };
115
116 services.corerad = {
117 enable = true;
118 settings = {
119 interfaces = [
120 { name = pppInterface;
121 monitor = true;
122 verbose = true;
123 }
124 { name = "lan";
125 advertise = true;
126 verbose = true;
127 prefix = [{ prefix = "::/64"; }];
128 route = [{ prefix = "::/0"; }];
129 rdnss = [{ servers = ["::"]; }];
130 dnssl = [{ domain_names = ["yggdrasil"]; }];
131 # other_config = true;
132 }
133 ];
134
135 debug = {
136 address = "localhost:9430";
137 prometheus = true;
138 };
139 };
140 };
141 services.ndppd = {
142 enable = true;
143 proxies = {
144 ${pppInterface} = {
145 router = true;
146 rules = {
147 lan = {
148 method = "iface";
149 interface = "lan";
150 network = "::/0";
151 };
152 };
153 };
154 };
155 };
156 boot.kernelModules = [ "ifb" ];
157 boot.kernel.sysctl = {
158 "net.ipv6.conf.all.forwarding" = true;
159 "net.ipv6.conf.default.forwarding" = true;
160 "net.ipv4.conf.all.forwarding" = true;
161 "net.ipv4.conf.default.forwarding" = true;
162
163 "net.core.rmem_max" = 4194304;
164 "net.core.wmem_max" = 4194304;
165 };
166 systemd.services."pppd-telekom" = {
167 bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
168 after = [ "sys-subsystem-net-devices-telekom.device" ];
169 };
170 systemd.services."dhcpcd-${pppInterface}" = {
171 wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
172 bindsTo = [ "pppd-telekom.service" ];
173 after = [ "pppd-telekom.service" ];
174 wants = [ "network.target" ];
175 before = [ "network-online.target" ];
176
177 path = with pkgs; [ dhcpcd nettools openresolv ];
178 unitConfig.ConditionCapability = "CAP_NET_ADMIN";
179
180 stopIfChanged = true;
181
182 preStart = ''
183 i=0
184
185 while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do
186 ${pkgs.coreutils}/bin/sleep 0.1
187 i=$((i + 1))
188 if [[ "$i" -ge 10 ]]; then
189 exit 1
190 fi
191 done
192 '';
193
194 postStop = ''
195 for dev in lan; do
196 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
197 done
198 '';
199
200 serviceConfig = let
201 dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
202 duid
203 vendorclassid
204 ipv6only
205
206 nooption domain_name_servers, domain_name, domain_search
207 option classless_static_routes
208 option interface_mtu
209
210 option host_name
211 option rapid_commit
212 require dhcp_server_identifier
213 slaac private
214
215 nohook resolv.conf
216 ipv6ra_autoconf
217 iaid 1195061668
218 ipv6rs # enable routing solicitation for WAN adapter
219 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
220
221 reboot 0
222
223 waitip 6
224 '';
225 in {
226 Type = "forking";
227 PIDFile = "/var/run/dhcpcd/${pppInterface}.pid";
228 RuntimeDirectory = "dhcpcd";
229 ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}";
230 ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}";
231 Restart = "always";
232 RestartSec = "5";
233 };
234 };
235 systemd.services.ndppd = {
236 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
237 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
238 after = [ "dhcpcd-${pppInterface}.service" ];
239
240 serviceConfig = {
241 Restart = "always";
242 RestartSec = "5";
243 };
244 };
245 systemd.services.corerad = {
246 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
247 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
248 after = [ "dhcpcd-${pppInterface}.service" ];
249
250 serviceConfig = {
251 Restart = lib.mkForce "always";
252 RestartSec = "5";
253 };
254 };
255 users.users.dhcpcd = {
256 isSystemUser = true;
257 group = "dhcpcd";
258 };
259 users.groups.dhcpcd = {};
260
261 systemd.services.unbound = {
262 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
263 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
264 after = [ "dhcpcd-${pppInterface}.service" ];
265
266 serviceConfig = {
267 Restart = lib.mkForce "always";
268 };
269 };
270 };
271}
diff --git a/hosts/vidhar/network/no-double-timeout.patch b/hosts/vidhar/network/no-double-timeout.patch
new file mode 100644
index 00000000..53f41ae1
--- /dev/null
+++ b/hosts/vidhar/network/no-double-timeout.patch
@@ -0,0 +1,13 @@
1diff --git i/pppd/plugins/pppoe/discovery.c w/pppd/plugins/pppoe/discovery.c
2index 86bda61..8060558 100644
3--- i/pppd/plugins/pppoe/discovery.c
4+++ w/pppd/plugins/pppoe/discovery.c
5@@ -686,7 +686,7 @@ discovery1(PPPoEConnection *conn, int waitWholeTimeoutForPADO)
6 conn->discoveryState = STATE_SENT_PADI;
7 waitForPADO(conn, timeout, waitWholeTimeoutForPADO);
8
9- timeout *= 2;
10+ // timeout *= 2;
11 } while (conn->discoveryState == STATE_SENT_PADI);
12 }
13
diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets
deleted file mode 100644
index 3516de6c..00000000
--- a/hosts/vidhar/network/pap-secrets
+++ /dev/null
@@ -1,26 +0,0 @@
1{
2 "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTFaTDZRbDd6cFBRSTNN\nVk1kcFJXRG9TT21IMDZsVmtoZjBTNDNjeDFzCkhxNEI2Ujd6SW1STG43eE5EdzZa\nS3phenJZN0RxajBXQ1BnbUhTa3htdFEKLS0tIGVlT3lReHJSQ2UvQ1FST0M0RzVP\nNmxWNzJmNlFPclJTeDUycDJiUzA4Yk0K4JHtkEPY49TGnKPZzEoEZ131RxeQEWkR\nK1ftH2ilr2tUhiErhpqxoTqfAm33xvruqTsePxh1uC7svzKtKBlS2g==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2021-11-15T08:30:09Z",
15 "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-01-30T10:58:50Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+cwEt6Gv5oKvym4ceJek+J/5guNpmsLLXWIY5CCCSXUw\npXyQpqxm7LQnasIqYNNsNCVbB1mAu6WU6MKn0BG03YWjr8buLB+7PpwZcxeZzRfD\n0l4BAsl+vKwa2YSMCR+EWYSfeEzEVHqoGBJ60dYXuiFiNZInCik+g69PdhsGygNH\nRtIcRiCB8t94GkvdWySTq5ohi1wKOe224l9evbt4zXntVngCHxixuufLrr3Cj+EE\n=3lw4\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix
new file mode 100644
index 00000000..6b4942a6
--- /dev/null
+++ b/hosts/vidhar/network/pppoe.nix
@@ -0,0 +1,301 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 inherit (config.networking) pppInterface;
7in {
8 options = {
9 networking.pppInterface = mkOption {
10 type = types.str;
11 default = "ppp";
12 };
13 };
14
15 config = {
16 networking.vlans = {
17 telekom = {
18 id = 7;
19 interface = "eno2";
20 };
21 };
22
23 services.pppd = {
24 enable = true;
25 package = pkgs.ppp.overrideAttrs (oldAttrs: {
26 patches = (oldAttrs.patches or []) ++ [
27 ./no-double-timeout.patch
28 ];
29 });
30 peers.telekom.config = ''
31 nodefaultroute
32 ifname ${pppInterface}
33 lcp-echo-adaptive
34 lcp-echo-failure 10
35 lcp-echo-interval 1
36 maxfail 0
37 mtu 1492
38 mru 1492
39 plugin pppoe.so
40 pppoe-padi-timeout 1
41 pppoe-padi-attempts 10
42 user congstar
43 password congstar
44 nic-telekom
45 debug
46 +ipv6
47 '';
48 };
49 systemd.services."pppd-telekom" = {
50 stopIfChanged = true;
51
52 serviceConfig = {
53 Type = lib.mkForce "notify";
54 ExecStart = lib.mkForce "${getBin config.services.pppd.package}/sbin/pppd call telekom up_sdnotify nolog";
55 PIDFile = "/run/pppd/${pppInterface}.pid";
56 };
57 restartTriggers = with config; [
58 environment.etc."ppp/ip-pre-up".source
59 environment.etc."ppp/ip-up".source
60 environment.etc."ppp/ip-down".source
61 ];
62 };
63
64 environment.etc = {
65 "ppp/ip-pre-up".source = pkgs.resholve.writeScript "ip-pre-up" {
66 interpreter = pkgs.runtimeShell;
67 inputs = [ pkgs.iproute2 pkgs.ethtool ];
68 execer = [
69 "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
70 "cannot:${lib.getExe' pkgs.iproute2 "tc"}"
71 ];
72 } ''
73 ethtool -K telekom tso off gso off gro off
74
75 ip link del "ifb4$1" || true
76 ip link add name "ifb4$1" type ifb
77 ip link set "ifb4$1" up
78
79 tc qdisc del dev "ifb4$1" root || true
80 tc qdisc del dev "$1" ingress || true
81 tc qdisc del dev "$1" root || true
82
83 tc qdisc add dev "$1" handle ffff: ingress
84 tc filter add dev "$1" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4$1"
85 tc qdisc replace dev "ifb4$1" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (177968 * 0.95))}kbit
86 tc qdisc replace dev "$1" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (41216 * 0.95))}kbit
87 '';
88 "ppp/ip-up".source = pkgs.resholve.writeScript "ip-up" {
89 interpreter = pkgs.runtimeShell;
90 inputs = [ pkgs.iproute2 ];
91 execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
92 } ''
93 ip addr add "$4" peer "$5"/32 dev "$1"
94 ip route add default dev "$1" metric 512
95 '';
96 "ppp/ip-down".source = pkgs.resholve.writeScript "ip-down" {
97 interpreter = pkgs.runtimeShell;
98 inputs = [ pkgs.iproute2 ];
99 execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
100 } ''
101 ip link del "ifb4$1"
102 '';
103 };
104
105 systemd.network.networks.${pppInterface} = {
106 matchConfig = {
107 Name = pppInterface;
108 };
109 dns = [ "::1" "127.0.0.1" ];
110 domains = [ "~." ];
111 networkConfig = {
112 LinkLocalAddressing = "no";
113 DNSSEC = true;
114 };
115 };
116
117 services.ndppd = {
118 enable = true;
119 proxies = {
120 ${pppInterface} = {
121 router = true;
122 rules = {
123 lan = {
124 method = "iface";
125 interface = "lan";
126 network = "::/0";
127 };
128 };
129 };
130 };
131 };
132 boot.kernelModules = [ "ifb" ];
133 boot.kernel.sysctl = {
134 "net.ipv6.conf.all.forwarding" = true;
135 "net.ipv6.conf.default.forwarding" = true;
136 "net.ipv4.conf.all.forwarding" = true;
137 "net.ipv4.conf.default.forwarding" = true;
138
139 "net.core.rmem_max" = 4194304;
140 "net.core.wmem_max" = 4194304;
141 };
142 systemd.services."pppd-telekom" = {
143 bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
144 after = [ "sys-subsystem-net-devices-telekom.device" ];
145 };
146
147 networking.interfaces.${pppInterface}.useDHCP = true;
148 networking.dhcpcd = {
149 enable = true;
150 persistent = false;
151 setHostname = false;
152 wait = "ipv6";
153 IPv6rs = false;
154
155 extraConfig = ''
156 duid
157 vendorclassid
158 ipv6only
159
160 require dhcp_server_identifier
161
162 reboot 0
163
164 interface ${pppInterface}
165 nooption domain_name_servers, domain_name, domain_search, ntp_servers
166 nohook hostname, resolv.conf
167 option rapid_commit
168
169 ipv6rs
170
171 ia_pd 1 lan/0/64/0
172 '';
173 };
174 systemd.services.dhcpcd = {
175 wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
176 bindsTo = [ "pppd-telekom.service" ];
177 after = [ "pppd-telekom.service" ];
178 wants = [ "network.target" ];
179 before = [ "network-online.target" ];
180
181 serviceConfig = {
182 ExecStartPre = [
183 (pkgs.resholve.writeScript "wait-${pppInterface}-ip" {
184 interpreter = pkgs.runtimeShell;
185 inputs = with pkgs; [ iproute2 coreutils ];
186 execer = [
187 "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
188 ];
189 } ''
190 i=0
191
192 while [[ -z "$(ip -6 addr show dev ${pppInterface} scope link)" ]]; do
193 sleep 0.1
194 i=$((i + 1))
195 if [[ "$i" -ge 10 ]]; then
196 exit 1
197 fi
198 done
199 '')
200 ];
201
202 RestartSec = "5";
203 };
204 };
205 systemd.services.ndppd = {
206 wantedBy = [ "dhcpcd.service" ];
207 bindsTo = [ "dhcpcd.service" ];
208 after = [ "dhcpcd.service" ];
209
210 serviceConfig = {
211 Restart = "always";
212 RestartSec = "5";
213 };
214 };
215 systemd.services.radvd = {
216 wantedBy = [ "dhcpcd.service" "multi-user.target" ];
217 bindsTo = [ "dhcpcd.service" ];
218 after = [ "dhcpcd.service" "network.target" ];
219
220 serviceConfig = {
221 Restart = "always";
222 RestartSec = "5";
223 DynamicUser = true;
224 AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_RAW"];
225 CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_RAW"];
226 RuntimeDirectory = "radvd";
227 PIDFile = "$RUNTIME_DIRECTORY/radvd.pid";
228 ExecStart = pkgs.writers.writePython3 "radvd-genconfig" {
229 libraries = with pkgs.python3Packages; [ jinja2 ];
230 doCheck = false;
231 } ''
232 import os
233 import sys
234 from tempfile import NamedTemporaryFile
235 import subprocess
236 import json
237 import jinja2
238 from pathlib import Path
239 from ipaddress import IPv6Network
240
241
242 def network_address(value, prefixlen):
243 return IPv6Network(value + "/" + str(prefixlen), strict=False).network_address
244
245
246 with subprocess.Popen(["${lib.getExe' pkgs.iproute2 "ip"}", "-j", "addr", "show", "dev", "lan"], stdout=subprocess.PIPE) as proc:
247 addresses = json.load(proc.stdout)
248
249 global_addresses = [ addr for addr in addresses[0]["addr_info"] if addr["family"] == "inet6" and addr["scope"] == "global" ]
250
251 if not global_addresses:
252 sys.exit(1)
253
254 with NamedTemporaryFile(mode='w', dir=os.environ["RUNTIME_DIRECTORY"], prefix="radvd.", suffix=".conf", delete=False) as fh:
255 config_file = fh.name
256 env = jinja2.Environment(
257 loader = jinja2.FileSystemLoader("${pkgs.writeTextDir "radvd.conf.jinja2" ''
258 interface lan {
259 IgnoreIfMissing off;
260 AdvSendAdvert on;
261 MaxRtrAdvInterval 240;
262 {% for addr in addrs %}
263 prefix {{addr["local"] | network_address(addr["prefixlen"])}}/{{addr["prefixlen"]}} {
264 AdvValidLifetime 86400;
265 AdvPreferredLifetime 300;
266 DeprecatePrefix on;
267 };
268 route {{addr["local"] | network_address(56)}}/56 {
269 AdvRouteLifetime 300;
270 RemoveRoute on;
271 };
272 RDNSS {{addr["local"]}} {
273 AdvRDNSSLifetime 300;
274 };
275 {%- endfor %}
276 DNSSL yggdrasil {};
277 };
278 ''}"),
279 autoescape = False,
280 )
281 env.filters["network_address"] = network_address
282 env.get_template("radvd.conf.jinja2").stream({
283 "addrs": global_addresses,
284 }).dump(fh)
285
286 os.execv("${lib.getExe' pkgs.radvd "radvd"}", ["radvd", "-n", "-p", str(Path(os.environ["RUNTIME_DIRECTORY"]) / "radvd.pid"), "-d", "1", "-C", config_file])
287 '';
288 };
289 };
290
291 systemd.services.unbound = {
292 wantedBy = [ "dhcpcd.service" ];
293 bindsTo = [ "dhcpcd.service" ];
294 after = [ "dhcpcd.service" ];
295
296 serviceConfig = {
297 Restart = lib.mkForce "always";
298 };
299 };
300 };
301}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 9f519302..44b6b7a9 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -1,18 +1,19 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp } 1define icmp_protos = { ipv6-icmp, icmp, igmp }
2define bifrost_surtr = 2a03:4000:52:ada:4::/128
2 3
3table arp filter { 4table arp filter {
4 limit lim_arp_local { 5 limit lim_arp_local {
5 rate over 50 mbytes/second burst 50 mbytes 6 rate over 50 mbytes/second burst 50 mbytes
6 } 7 }
7 limit lim_arp_gpon { 8 limit lim_arp_ppp {
8 rate over 7500 kbytes/second burst 7500 kbytes 9 rate over 7500 kbytes/second burst 7500 kbytes
9 } 10 }
10 11
11 counter arp-rx {} 12 counter arp-rx {}
12 counter arp-tx {} 13 counter arp-tx {}
13 14
14 counter arp-ratelimit-gpon-rx {} 15 counter arp-ratelimit-ppp-rx {}
15 counter arp-ratelimit-gpon-tx {} 16 counter arp-ratelimit-ppp-tx {}
16 17
17 counter arp-ratelimit-local-rx {} 18 counter arp-ratelimit-local-rx {}
18 counter arp-ratelimit-local-tx {} 19 counter arp-ratelimit-local-tx {}
@@ -21,8 +22,8 @@ table arp filter {
21 type filter hook input priority filter 22 type filter hook input priority filter
22 policy accept 23 policy accept
23 24
24 iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop 25 iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
25 iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop 26 iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
26 27
27 counter name arp-rx 28 counter name arp-rx
28 } 29 }
@@ -31,8 +32,8 @@ table arp filter {
31 type filter hook output priority filter 32 type filter hook output priority filter
32 policy accept 33 policy accept
33 34
34 oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop 35 oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
35 oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop 36 oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
36 37
37 counter name arp-tx 38 counter name arp-tx
38 } 39 }
@@ -46,11 +47,11 @@ table inet filter {
46 limit lim_icmp_local { 47 limit lim_icmp_local {
47 rate over 50 mbytes/second burst 50 mbytes 48 rate over 50 mbytes/second burst 50 mbytes
48 } 49 }
49 limit lim_icmp_gpon { 50 limit lim_icmp_ppp {
50 rate over 7500 kbytes/second burst 7500 kbytes 51 rate over 7500 kbytes/second burst 7500 kbytes
51 } 52 }
52 53
53 counter icmp-ratelimit-gpon-fw {} 54 counter icmp-ratelimit-ppp-fw {}
54 counter icmp-ratelimit-local-fw {} 55 counter icmp-ratelimit-local-fw {}
55 56
56 counter icmp-fw {} 57 counter icmp-fw {}
@@ -58,7 +59,9 @@ table inet filter {
58 counter invalid-fw {} 59 counter invalid-fw {}
59 counter fw-lo {} 60 counter fw-lo {}
60 counter fw-lan {} 61 counter fw-lan {}
61 counter fw-gpon {} 62 counter fw-ppp {}
63 counter fw-kimai {}
64 counter fw-podman {}
62 65
63 counter fw-cups {} 66 counter fw-cups {}
64 67
@@ -73,7 +76,7 @@ table inet filter {
73 counter invalid-local4-rx {} 76 counter invalid-local4-rx {}
74 counter invalid-local6-rx {} 77 counter invalid-local6-rx {}
75 78
76 counter icmp-ratelimit-gpon-rx {} 79 counter icmp-ratelimit-ppp-rx {}
77 counter icmp-ratelimit-local-rx {} 80 counter icmp-ratelimit-local-rx {}
78 counter icmp-rx {} 81 counter icmp-rx {}
79 82
@@ -90,6 +93,12 @@ table inet filter {
90 counter http-rx {} 93 counter http-rx {}
91 counter tftp-rx {} 94 counter tftp-rx {}
92 counter pgbackrest-rx {} 95 counter pgbackrest-rx {}
96 counter immich-rx {}
97 counter paperless-rx {}
98 counter hledger-rx {}
99 counter audiobookshelf-rx {}
100 counter kimai-rx {}
101 counter changedetection-rx {}
93 102
94 counter established-rx {} 103 counter established-rx {}
95 104
@@ -101,7 +110,7 @@ table inet filter {
101 110
102 counter tx-lo {} 111 counter tx-lo {}
103 112
104 counter icmp-ratelimit-gpon-tx {} 113 counter icmp-ratelimit-ppp-tx {}
105 counter icmp-ratelimit-local-tx {} 114 counter icmp-ratelimit-local-tx {}
106 counter icmp-tx {} 115 counter icmp-tx {}
107 116
@@ -118,15 +127,21 @@ table inet filter {
118 counter http-tx {} 127 counter http-tx {}
119 counter tftp-tx {} 128 counter tftp-tx {}
120 counter pgbackrest-tx {} 129 counter pgbackrest-tx {}
130 counter immich-tx {}
131 counter paperless-tx {}
132 counter hledger-tx {}
133 counter audiobookshelf-tx {}
134 counter kimai-tx {}
135 counter changedetection-tx {}
121 136
122 counter tx {} 137 counter tx {}
123 138
124 139
125 chain forward_icmp_accept { 140 chain forward_icmp_accept {
126 oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 141 oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
127 iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 142 iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
128 oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 143 oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
129 iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 144 iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
130 counter name icmp-fw accept 145 counter name icmp-fw accept
131 } 146 }
132 chain forward { 147 chain forward {
@@ -139,10 +154,17 @@ table inet filter {
139 154
140 iifname lo counter name fw-lo accept 155 iifname lo counter name fw-lo accept
141 156
142 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 157 oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
143 iifname lan oifname { gpon, bifrost } counter name fw-lan accept 158 iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
159 iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
160 iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
144 161
145 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept 162 iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
163 iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
164 iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
165
166 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
167 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
146 168
147 169
148 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 170 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -163,22 +185,22 @@ table inet filter {
163 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 185 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
164 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject 186 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
165 187
166 iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop 188 iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
167 iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 189 iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
168 meta l4proto $icmp_protos counter name icmp-rx accept 190 meta l4proto $icmp_protos counter name icmp-rx accept
169 191
170 iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 192 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
171 iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 193 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
172 194
173 iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 195 iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
174 196
175 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 197 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
176 198
177 iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept 199 iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
178 iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept 200 iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
179 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 201 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
180 202
181 iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 203 iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
182 204
183 iifname mgmt udp dport 123 counter name ntp-rx accept 205 iifname mgmt udp dport 123 counter name ntp-rx accept
184 206
@@ -193,6 +215,12 @@ table inet filter {
193 215
194 tcp dport 8432 counter name pgbackrest-rx accept 216 tcp dport 8432 counter name pgbackrest-rx accept
195 217
218 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
219 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
220 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
221 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
222 iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
223
196 ct state { established, related } counter name established-rx accept 224 ct state { established, related } counter name established-rx accept
197 225
198 226
@@ -209,8 +237,8 @@ table inet filter {
209 237
210 oifname lo counter name tx-lo accept 238 oifname lo counter name tx-lo accept
211 239
212 oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop 240 oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
213 oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop 241 oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
214 meta l4proto $icmp_protos counter name icmp-tx accept 242 meta l4proto $icmp_protos counter name icmp-tx accept
215 243
216 244
@@ -240,34 +268,40 @@ table inet filter {
240 268
241 tcp sport 8432 counter name pgbackrest-tx accept 269 tcp sport 8432 counter name pgbackrest-tx accept
242 270
271 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
272 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
273 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
274 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
275 iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
276
243 277
244 counter name tx 278 counter name tx
245 } 279 }
246} 280}
247 281
248table inet nat { 282table inet nat {
249 counter gpon-nat {} 283 counter ppp-nat {}
250 # counter container-nat {} 284 counter kimai-nat {}
251 285
252 chain postrouting { 286 chain postrouting {
253 type nat hook postrouting priority srcnat 287 type nat hook postrouting priority srcnat
254 policy accept 288 policy accept
255 289
256 290
257 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade 291 meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
258 # iifname ve-* oifname gpon counter name container-nat masquerade 292 iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
259 } 293 }
260} 294}
261 295
262table inet mss_clamp { 296table inet mss_clamp {
263 counter gpon-mss-clamp {} 297 counter ppp-mss-clamp {}
264 298
265 chain postrouting { 299 chain postrouting {
266 type filter hook postrouting priority mangle 300 type filter hook postrouting priority mangle
267 policy accept 301 policy accept
268 302
269 303
270 oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu 304 oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
271 } 305 }
272} 306}
273 307
@@ -402,7 +436,7 @@ table inet dscpclassify {
402 chain postrouting { 436 chain postrouting {
403 type filter hook postrouting priority filter + 1; policy accept 437 type filter hook postrouting priority filter + 1; policy accept
404 438
405 oifname != gpon return 439 oifname != @pppInterface@ return
406 440
407 ip dscp cs0 goto ct_set_cs0 441 ip dscp cs0 goto ct_set_cs0
408 ip dscp lephb goto ct_set_lephb 442 ip dscp lephb goto ct_set_lephb
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-16 23:08:25 +0000