From 9342cee52c63d50234db346ca0909caba0f94475 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 22 Jun 2022 10:50:52 +0200
Subject: sif: network for libvirtd

---
 hosts/sif/default.nix | 64 ++++++++++++++++++++++++++++++++++++++++++++++++---
 hosts/sif/ruleset.nft | 50 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+), 3 deletions(-)

(limited to 'hosts')

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index c3f4bd41..d82222d0 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -56,6 +56,11 @@ in {
       kernelModules = ["v4l2loopback"];
 
       tmpOnTmpfs = true;
+
+      kernel.sysctl = {
+        "net.ipv4.ip_forward" = true;
+        "net.ipv6.conf.all.forwarding" = true;
+      };
     };
 
     networking = {
@@ -106,9 +111,10 @@ in {
       # };
     };
 
-    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
+    environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
       text = ''
-        server=/sif.libvirt/192.168.122.1
+        except-interface=virbr0
+        server=/libvirt/192.168.122.1@virbr0
       '';
     };
     environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
@@ -153,6 +159,13 @@ in {
             }
           ];
         };
+        virbr0 = {
+          netdevConfig = {
+            Name = "virbr0";
+            Kind = "bridge";
+            MACAddress = "52:54:00:18:85:5b";
+          };
+        };
       };
       networks = {
         wgrz = {
@@ -201,6 +214,16 @@ in {
             DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
           };
         };
+        virbr0 = {
+          name = "virbr0";
+          matchConfig = {
+            Name = "virbr0";
+          };
+          address = ["192.168.122.1/24" "fd45:febc:b028::/48"];
+          networkConfig = {
+            ConfigureWithoutCarrier = true;
+          };
+        };
       };
     };
     sops.secrets.wgrz = {
@@ -210,7 +233,42 @@ in {
       owner = "root";
       group = "systemd-network";
     };
-    networking.networkmanager.unmanaged = ["wgrz"];
+    networking.networkmanager.unmanaged = ["wgrz" "virbr0"];
+
+    services.dnsmasq = {
+      enable = true;
+      resolveLocalQueries = false;
+      servers = [];
+      extraConfig = ''
+        enable-ra
+        local=/libvirt/
+        domain-needed
+        expand-hosts
+        bogus-priv
+        no-hosts
+        listen-address=192.168.122.1
+        listen-address=fd45:febc:b028::
+        interface=virbr0
+        except-interface=lo
+        bind-interfaces
+        domain=libvirt,192.168.122.0/24
+        dhcp-range=192.168.122.128,192.168.122.254,1h
+        dhcp-range=fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h
+        dhcp-host=52:54:00:18:85:5b,sif,192.168.122.1
+        dhcp-authoritative
+        dhcp-rapid-commit
+        dhcp-option=option6:dns-server,[fd45:febc:b028::]
+      '';
+    };
+    systemd.services.dnsmasq = {
+      bindsTo = ["sys-subsystem-net-devices-virbr0.device"];
+      after = ["sys-subsystem-net-devices-virbr0.device"];
+    };
+    systemd.services.libvirtd = {
+      wants = ["dnsmasq.service"];
+      bindsTo = ["sys-subsystem-net-devices-virbr0.device"];
+      after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"];
+    };
 
     services.openssh.enable = true;
 
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 363ffbdc..2a1467b8 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -84,6 +84,10 @@ table inet filter {
 
   counter tx {}
 
+  counter fw-libvirt {}
+  counter libvirt-dhcp {}
+  counter libvirt-dns {}
+
 
   chain forward {
     type filter hook forward priority filter
@@ -95,6 +99,9 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
+    iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
+    oifname virbr0 ct state {established, related} counter name fw-libvirt accept
+
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
     log level debug prefix "reject forward: " counter name reject-fw
@@ -125,6 +132,11 @@ table inet filter {
     udp dport 51820-51822 counter name wg-rx accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
 
+    iifname virbr0 udp dport 67 counter name libvirt-dhcp accept
+    iifname virbr0 udp dport 547 counter name libvirt-dhcp accept
+    iifname virbr0 udp dport 53 counter name libvirt-dns accept
+    iifname virbr0 tcp dport 53 counter name libvirt-dns accept
+
     ct state {established, related} counter name established-rx accept
 
 
@@ -153,7 +165,45 @@ table inet filter {
 
     tcp sport 8000 counter name quickserve-tx accept
 
+    oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
+    oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
+    oifname virbr0 udp sport 53 counter name libvirt-dns accept
+    oifname virbr0 tcp sport 53 counter name libvirt-dns accept
+
 
     counter name tx
   }
 }
+
+table ip nat {
+  counter libvirt-nat {}
+
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+
+    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+  }
+}
+
+table ip6 nat {
+  counter libvirt-nat {}
+
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+
+    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+  }
+}
+
+table ip mss_clamp {
+  counter libvirt-mss-clamp {}
+
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+
+    iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3