From 41efa2ab074e43021fea33ce03c36f60b24cffa9 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 14 Oct 2025 12:54:39 +0200 Subject: ... --- hosts/vidhar/network/default.nix | 6 +- hosts/vidhar/network/gpon.nix | 271 --------------------------------------- hosts/vidhar/network/pap-secrets | 26 ---- hosts/vidhar/network/pppoe.nix | 265 ++++++++++++++++++++++++++++++++++++++ hosts/vidhar/network/ruleset.nft | 72 +++++------ 5 files changed, 305 insertions(+), 335 deletions(-) delete mode 100644 hosts/vidhar/network/gpon.nix delete mode 100644 hosts/vidhar/network/pap-secrets create mode 100644 hosts/vidhar/network/pppoe.nix (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 92d755f3..5245972d 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -3,7 +3,7 @@ with lib; { - imports = [ ./gpon.nix ./bifrost ./dhcp ]; + imports = [ ./pppoe.nix ./bifrost ./dhcp ]; config = { networking = { @@ -61,7 +61,9 @@ with lib; firewall.enable = false; nftables = { enable = true; - rulesetFile = ./ruleset.nft; + rulesetFile = pkgs.replaceVars ./ruleset.nft { + inherit (config.networking) pppInterface; + }; }; resolvconf = { diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix deleted file mode 100644 index 1628159c..00000000 --- a/hosts/vidhar/network/gpon.nix +++ /dev/null @@ -1,271 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - pppInterface = config.networking.pppInterface; -in { - options = { - networking.pppInterface = mkOption { - type = types.str; - default = "gpon"; - }; - }; - - config = { - networking.vlans = { - telekom = { - id = 7; - interface = "eno2"; - }; - }; - - services.pppd = { - enable = true; - peers.telekom.config = '' - nodefaultroute - ifname ${pppInterface} - lcp-echo-adaptive - lcp-echo-failure 5 - lcp-echo-interval 1 - maxfail 0 - mtu 1492 - mru 1492 - plugin pppoe.so - name telekom - user 002576900250551137425220#0001@t-online.de - nic-telekom - debug - +ipv6 - ''; - }; - systemd.services."pppd-telekom" = { - stopIfChanged = true; - - serviceConfig = { - PIDFile = "/run/pppd/${pppInterface}.pid"; - }; - restartTriggers = with config; [ - environment.etc."ppp/ip-pre-up".source - environment.etc."ppp/ip-up".source - environment.etc."ppp/ip-down".source - # sops.secrets."pap-secrets".sopsFile - ]; - }; - sops.secrets."pap-secrets" = { - format = "binary"; - sopsFile = ./pap-secrets; - path = "/etc/ppp/pap-secrets"; - }; - - environment.etc = { - "ppp/ip-pre-up".source = let - app = pkgs.writeShellApplication { - name = "ip-pre-up"; - runtimeInputs = with pkgs; [ iproute2 ethtool ]; - text = '' - ethtool -K telekom tso off gso off gro off - - ip link del "ifb4${pppInterface}" || true - ip link add name "ifb4${pppInterface}" type ifb - ip link set "ifb4${pppInterface}" up - - tc qdisc del dev "ifb4${pppInterface}" root || true - tc qdisc del dev "${pppInterface}" ingress || true - tc qdisc del dev "${pppInterface}" root || true - - tc qdisc add dev "${pppInterface}" handle ffff: ingress - tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" - tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit - tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit - ''; - }; - in "${app}/bin/${app.meta.mainProgram}"; - "ppp/ip-up".source = let - app = pkgs.writeShellApplication { - name = "ip-up"; - runtimeInputs = with pkgs; [ iproute2 ]; - text = '' - ip route add default via "$5" dev "${pppInterface}" metric 512 - ''; - }; - in "${app}/bin/${app.meta.mainProgram}"; - "ppp/ip-down".source = let - app = pkgs.writeShellApplication { - name = "ip-down"; - runtimeInputs = with pkgs; [ iproute2 ]; - text = '' - ip link del "ifb4${pppInterface}" - ''; - }; - in "${app}/bin/${app.meta.mainProgram}"; - }; - - systemd.network.networks.${pppInterface} = { - matchConfig = { - Name = pppInterface; - }; - dns = [ "::1" "127.0.0.1" ]; - domains = [ "~." ]; - networkConfig = { - LinkLocalAddressing = "no"; - DNSSEC = true; - }; - }; - - services.corerad = { - enable = true; - settings = { - interfaces = [ - { name = pppInterface; - monitor = true; - verbose = true; - } - { name = "lan"; - advertise = true; - verbose = true; - prefix = [{ prefix = "::/64"; }]; - route = [{ prefix = "::/0"; }]; - rdnss = [{ servers = ["::"]; }]; - dnssl = [{ domain_names = ["yggdrasil"]; }]; - # other_config = true; - } - ]; - - debug = { - address = "localhost:9430"; - prometheus = true; - }; - }; - }; - services.ndppd = { - enable = true; - proxies = { - ${pppInterface} = { - router = true; - rules = { - lan = { - method = "iface"; - interface = "lan"; - network = "::/0"; - }; - }; - }; - }; - }; - boot.kernelModules = [ "ifb" ]; - boot.kernel.sysctl = { - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - - "net.core.rmem_max" = 4194304; - "net.core.wmem_max" = 4194304; - }; - systemd.services."pppd-telekom" = { - bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; - after = [ "sys-subsystem-net-devices-telekom.device" ]; - }; - systemd.services."dhcpcd-${pppInterface}" = { - wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; - bindsTo = [ "pppd-telekom.service" ]; - after = [ "pppd-telekom.service" ]; - wants = [ "network.target" ]; - before = [ "network-online.target" ]; - - path = with pkgs; [ dhcpcd nettools openresolv ]; - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - - stopIfChanged = true; - - preStart = '' - i=0 - - while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do - ${pkgs.coreutils}/bin/sleep 0.1 - i=$((i + 1)) - if [[ "$i" -ge 10 ]]; then - exit 1 - fi - done - ''; - - postStop = '' - for dev in lan; do - ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" - done - ''; - - serviceConfig = let - dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' - duid - vendorclassid - ipv6only - - nooption domain_name_servers, domain_name, domain_search - option classless_static_routes - option interface_mtu - - option host_name - option rapid_commit - require dhcp_server_identifier - slaac private - - nohook resolv.conf - ipv6ra_autoconf - iaid 1195061668 - ipv6rs # enable routing solicitation for WAN adapter - ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN - - reboot 0 - - waitip 6 - ''; - in { - Type = "forking"; - PIDFile = "/var/run/dhcpcd/${pppInterface}.pid"; - RuntimeDirectory = "dhcpcd"; - ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; - ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; - Restart = "always"; - RestartSec = "5"; - }; - }; - systemd.services.ndppd = { - wantedBy = [ "dhcpcd-${pppInterface}.service" ]; - bindsTo = [ "dhcpcd-${pppInterface}.service" ]; - after = [ "dhcpcd-${pppInterface}.service" ]; - - serviceConfig = { - Restart = "always"; - RestartSec = "5"; - }; - }; - systemd.services.corerad = { - wantedBy = [ "dhcpcd-${pppInterface}.service" ]; - bindsTo = [ "dhcpcd-${pppInterface}.service" ]; - after = [ "dhcpcd-${pppInterface}.service" ]; - - serviceConfig = { - Restart = lib.mkForce "always"; - RestartSec = "5"; - }; - }; - users.users.dhcpcd = { - isSystemUser = true; - group = "dhcpcd"; - }; - users.groups.dhcpcd = {}; - - systemd.services.unbound = { - wantedBy = [ "dhcpcd-${pppInterface}.service" ]; - bindsTo = [ "dhcpcd-${pppInterface}.service" ]; - after = [ "dhcpcd-${pppInterface}.service" ]; - - serviceConfig = { - Restart = lib.mkForce "always"; - }; - }; - }; -} diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets deleted file mode 100644 index 3516de6c..00000000 --- a/hosts/vidhar/network/pap-secrets +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTFaTDZRbDd6cFBRSTNN\nVk1kcFJXRG9TT21IMDZsVmtoZjBTNDNjeDFzCkhxNEI2Ujd6SW1STG43eE5EdzZa\nS3phenJZN0RxajBXQ1BnbUhTa3htdFEKLS0tIGVlT3lReHJSQ2UvQ1FST0M0RzVP\nNmxWNzJmNlFPclJTeDUycDJiUzA4Yk0K4JHtkEPY49TGnKPZzEoEZ131RxeQEWkR\nK1ftH2ilr2tUhiErhpqxoTqfAm33xvruqTsePxh1uC7svzKtKBlS2g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2021-11-15T08:30:09Z", - "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]", - "pgp": [ - { - "created_at": "2023-01-30T10:58:50Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+cwEt6Gv5oKvym4ceJek+J/5guNpmsLLXWIY5CCCSXUw\npXyQpqxm7LQnasIqYNNsNCVbB1mAu6WU6MKn0BG03YWjr8buLB+7PpwZcxeZzRfD\n0l4BAsl+vKwa2YSMCR+EWYSfeEzEVHqoGBJ60dYXuiFiNZInCik+g69PdhsGygNH\nRtIcRiCB8t94GkvdWySTq5ohi1wKOe224l9evbt4zXntVngCHxixuufLrr3Cj+EE\n=3lw4\n-----END PGP MESSAGE-----\n", - "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.1" - } -} \ No newline at end of file diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix new file mode 100644 index 00000000..da64b353 --- /dev/null +++ b/hosts/vidhar/network/pppoe.nix @@ -0,0 +1,265 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pppInterface = config.networking.pppInterface; +in { + options = { + networking.pppInterface = mkOption { + type = types.str; + default = "ppp"; + }; + }; + + config = { + networking.vlans = { + telekom = { + id = 7; + interface = "eno2"; + }; + }; + + services.pppd = { + enable = true; + peers.telekom.config = '' + nodefaultroute + ifname ${pppInterface} + lcp-echo-adaptive + lcp-echo-failure 5 + lcp-echo-interval 1 + maxfail 0 + mtu 1492 + mru 1492 + plugin pppoe.so + user congstar + password congstar + nic-telekom + debug + +ipv6 + ''; + }; + systemd.services."pppd-telekom" = { + stopIfChanged = true; + + serviceConfig = { + PIDFile = "/run/pppd/${pppInterface}.pid"; + }; + restartTriggers = with config; [ + environment.etc."ppp/ip-pre-up".source + environment.etc."ppp/ip-up".source + environment.etc."ppp/ip-down".source + ]; + }; + + environment.etc = { + "ppp/ip-pre-up".source = let + app = pkgs.writeShellApplication { + name = "ip-pre-up"; + runtimeInputs = with pkgs; [ iproute2 ethtool ]; + text = '' + ethtool -K telekom tso off gso off gro off + + ip link del "ifb4${pppInterface}" || true + ip link add name "ifb4${pppInterface}" type ifb + ip link set "ifb4${pppInterface}" up + + tc qdisc del dev "ifb4${pppInterface}" root || true + tc qdisc del dev "${pppInterface}" ingress || true + tc qdisc del dev "${pppInterface}" root || true + + tc qdisc add dev "${pppInterface}" handle ffff: ingress + tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" + tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (159 * 0.95))}mbit + tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (36 * 0.95))}mbit + ''; + }; + in "${app}/bin/${app.meta.mainProgram}"; + "ppp/ip-up".source = let + app = pkgs.writeShellApplication { + name = "ip-up"; + runtimeInputs = with pkgs; [ iproute2 ]; + text = '' + ip route add default via "$5" dev "${pppInterface}" metric 512 + ''; + }; + in "${app}/bin/${app.meta.mainProgram}"; + "ppp/ip-down".source = let + app = pkgs.writeShellApplication { + name = "ip-down"; + runtimeInputs = with pkgs; [ iproute2 ]; + text = '' + ip link del "ifb4${pppInterface}" + ''; + }; + in "${app}/bin/${app.meta.mainProgram}"; + }; + + systemd.network.networks.${pppInterface} = { + matchConfig = { + Name = pppInterface; + }; + dns = [ "::1" "127.0.0.1" ]; + domains = [ "~." ]; + networkConfig = { + LinkLocalAddressing = "no"; + DNSSEC = true; + }; + }; + + services.corerad = { + enable = true; + settings = { + interfaces = [ + { name = pppInterface; + monitor = true; + verbose = true; + } + { name = "lan"; + advertise = true; + verbose = true; + prefix = [{ prefix = "::/64"; }]; + route = [{ prefix = "::/0"; }]; + rdnss = [{ servers = ["::"]; }]; + dnssl = [{ domain_names = ["yggdrasil"]; }]; + # other_config = true; + } + ]; + + debug = { + address = "localhost:9430"; + prometheus = true; + }; + }; + }; + services.ndppd = { + enable = true; + proxies = { + ${pppInterface} = { + router = true; + rules = { + lan = { + method = "iface"; + interface = "lan"; + network = "::/0"; + }; + }; + }; + }; + }; + boot.kernelModules = [ "ifb" ]; + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + + "net.core.rmem_max" = 4194304; + "net.core.wmem_max" = 4194304; + }; + systemd.services."pppd-telekom" = { + bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; + after = [ "sys-subsystem-net-devices-telekom.device" ]; + }; + systemd.services."dhcpcd-${pppInterface}" = { + wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; + bindsTo = [ "pppd-telekom.service" ]; + after = [ "pppd-telekom.service" ]; + wants = [ "network.target" ]; + before = [ "network-online.target" ]; + + path = with pkgs; [ dhcpcd nettools openresolv ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + stopIfChanged = true; + + preStart = '' + i=0 + + while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do + ${pkgs.coreutils}/bin/sleep 0.1 + i=$((i + 1)) + if [[ "$i" -ge 10 ]]; then + exit 1 + fi + done + ''; + + postStop = '' + for dev in lan; do + ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" + done + ''; + + serviceConfig = let + dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' + duid + vendorclassid + ipv6only + + nooption domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + + option host_name + option rapid_commit + require dhcp_server_identifier + slaac private + + nohook resolv.conf + ipv6ra_autoconf + iaid 1195061668 + ipv6rs # enable routing solicitation for WAN adapter + ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN + + reboot 0 + + waitip 6 + ''; + in { + Type = "forking"; + PIDFile = "/var/run/dhcpcd/${pppInterface}.pid"; + RuntimeDirectory = "dhcpcd"; + ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; + ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.ndppd = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.corerad = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + RestartSec = "5"; + }; + }; + users.users.dhcpcd = { + isSystemUser = true; + group = "dhcpcd"; + }; + users.groups.dhcpcd = {}; + + systemd.services.unbound = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + }; + }; + }; +} diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 7897fb3d..dd750394 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -5,15 +5,15 @@ table arp filter { limit lim_arp_local { rate over 50 mbytes/second burst 50 mbytes } - limit lim_arp_gpon { + limit lim_arp_ppp { rate over 7500 kbytes/second burst 7500 kbytes } counter arp-rx {} counter arp-tx {} - counter arp-ratelimit-gpon-rx {} - counter arp-ratelimit-gpon-tx {} + counter arp-ratelimit-ppp-rx {} + counter arp-ratelimit-ppp-tx {} counter arp-ratelimit-local-rx {} counter arp-ratelimit-local-tx {} @@ -22,8 +22,8 @@ table arp filter { type filter hook input priority filter policy accept - iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop - iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop + iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop + iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop counter name arp-rx } @@ -32,8 +32,8 @@ table arp filter { type filter hook output priority filter policy accept - oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop - oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop + oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop + oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop counter name arp-tx } @@ -47,11 +47,11 @@ table inet filter { limit lim_icmp_local { rate over 50 mbytes/second burst 50 mbytes } - limit lim_icmp_gpon { + limit lim_icmp_ppp { rate over 7500 kbytes/second burst 7500 kbytes } - counter icmp-ratelimit-gpon-fw {} + counter icmp-ratelimit-ppp-fw {} counter icmp-ratelimit-local-fw {} counter icmp-fw {} @@ -59,7 +59,7 @@ table inet filter { counter invalid-fw {} counter fw-lo {} counter fw-lan {} - counter fw-gpon {} + counter fw-ppp {} counter fw-kimai {} counter fw-cups {} @@ -75,7 +75,7 @@ table inet filter { counter invalid-local4-rx {} counter invalid-local6-rx {} - counter icmp-ratelimit-gpon-rx {} + counter icmp-ratelimit-ppp-rx {} counter icmp-ratelimit-local-rx {} counter icmp-rx {} @@ -108,7 +108,7 @@ table inet filter { counter tx-lo {} - counter icmp-ratelimit-gpon-tx {} + counter icmp-ratelimit-ppp-tx {} counter icmp-ratelimit-local-tx {} counter icmp-tx {} @@ -135,10 +135,10 @@ table inet filter { chain forward_icmp_accept { - oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop - iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop - oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop - iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop + iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop + oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop counter name icmp-fw accept } chain forward { @@ -151,12 +151,12 @@ table inet filter { iifname lo counter name fw-lo accept - oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept - iifname lan oifname { gpon, bifrost } counter name fw-lan accept - iifname ve-kimai oifname gpon counter name fw-kimai accept + oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept + iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept + iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept - iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept - iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept + iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept + iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept @@ -180,22 +180,22 @@ table inet filter { iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop - iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop + iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop + iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop meta l4proto $icmp_protos counter name icmp-rx accept - iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept - iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept + iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept + iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept - iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept - iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept + iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept + iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept - iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept + iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept iifname mgmt udp dport 123 counter name ntp-rx accept @@ -231,8 +231,8 @@ table inet filter { oifname lo counter name tx-lo accept - oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop - oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop + oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop + oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop meta l4proto $icmp_protos counter name icmp-tx accept @@ -273,7 +273,7 @@ table inet filter { } table inet nat { - counter gpon-nat {} + counter ppp-nat {} counter kimai-nat {} chain postrouting { @@ -281,20 +281,20 @@ table inet nat { policy accept - meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade - iifname ve-kimai oifname gpon counter name kimai-nat masquerade + meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade + iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade } } table inet mss_clamp { - counter gpon-mss-clamp {} + counter ppp-mss-clamp {} chain postrouting { type filter hook postrouting priority mangle policy accept - oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu + oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu } } @@ -429,7 +429,7 @@ table inet dscpclassify { chain postrouting { type filter hook postrouting priority filter + 1; policy accept - oifname != gpon return + oifname != @pppInterface@ return ip dscp cs0 goto ct_set_cs0 ip dscp lephb goto ct_set_lephb -- cgit v1.2.3