From 9342cee52c63d50234db346ca0909caba0f94475 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 22 Jun 2022 10:50:52 +0200 Subject: sif: network for libvirtd --- hosts/sif/default.nix | 64 ++++++++++++++++++++++++++++++++++++++++++++++++--- hosts/sif/ruleset.nft | 50 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+), 3 deletions(-) (limited to 'hosts') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index c3f4bd41..d82222d0 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -56,6 +56,11 @@ in { kernelModules = ["v4l2loopback"]; tmpOnTmpfs = true; + + kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; }; networking = { @@ -106,9 +111,10 @@ in { # }; }; - environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = { + environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { text = '' - server=/sif.libvirt/192.168.122.1 + except-interface=virbr0 + server=/libvirt/192.168.122.1@virbr0 ''; }; environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = { @@ -153,6 +159,13 @@ in { } ]; }; + virbr0 = { + netdevConfig = { + Name = "virbr0"; + Kind = "bridge"; + MACAddress = "52:54:00:18:85:5b"; + }; + }; }; networks = { wgrz = { @@ -201,6 +214,16 @@ in { DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; }; }; + virbr0 = { + name = "virbr0"; + matchConfig = { + Name = "virbr0"; + }; + address = ["192.168.122.1/24" "fd45:febc:b028::/48"]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; }; }; sops.secrets.wgrz = { @@ -210,7 +233,42 @@ in { owner = "root"; group = "systemd-network"; }; - networking.networkmanager.unmanaged = ["wgrz"]; + networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; + + services.dnsmasq = { + enable = true; + resolveLocalQueries = false; + servers = []; + extraConfig = '' + enable-ra + local=/libvirt/ + domain-needed + expand-hosts + bogus-priv + no-hosts + listen-address=192.168.122.1 + listen-address=fd45:febc:b028:: + interface=virbr0 + except-interface=lo + bind-interfaces + domain=libvirt,192.168.122.0/24 + dhcp-range=192.168.122.128,192.168.122.254,1h + dhcp-range=fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h + dhcp-host=52:54:00:18:85:5b,sif,192.168.122.1 + dhcp-authoritative + dhcp-rapid-commit + dhcp-option=option6:dns-server,[fd45:febc:b028::] + ''; + }; + systemd.services.dnsmasq = { + bindsTo = ["sys-subsystem-net-devices-virbr0.device"]; + after = ["sys-subsystem-net-devices-virbr0.device"]; + }; + systemd.services.libvirtd = { + wants = ["dnsmasq.service"]; + bindsTo = ["sys-subsystem-net-devices-virbr0.device"]; + after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"]; + }; services.openssh.enable = true; diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 363ffbdc..2a1467b8 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft @@ -84,6 +84,10 @@ table inet filter { counter tx {} + counter fw-libvirt {} + counter libvirt-dhcp {} + counter libvirt-dns {} + chain forward { type filter hook forward priority filter @@ -95,6 +99,9 @@ table inet filter { iifname lo counter name fw-lo accept + iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept + oifname virbr0 ct state {established, related} counter name fw-libvirt accept + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop log level debug prefix "reject forward: " counter name reject-fw @@ -125,6 +132,11 @@ table inet filter { udp dport 51820-51822 counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept + iifname virbr0 udp dport 67 counter name libvirt-dhcp accept + iifname virbr0 udp dport 547 counter name libvirt-dhcp accept + iifname virbr0 udp dport 53 counter name libvirt-dns accept + iifname virbr0 tcp dport 53 counter name libvirt-dns accept + ct state {established, related} counter name established-rx accept @@ -153,7 +165,45 @@ table inet filter { tcp sport 8000 counter name quickserve-tx accept + oifname virbr0 udp sport 67 counter name libvirt-dhcp accept + oifname virbr0 udp sport 547 counter name libvirt-dhcp accept + oifname virbr0 udp sport 53 counter name libvirt-dns accept + oifname virbr0 tcp sport 53 counter name libvirt-dns accept + counter name tx } } + +table ip nat { + counter libvirt-nat {} + + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade + } +} + +table ip6 nat { + counter libvirt-nat {} + + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade + } +} + +table ip mss_clamp { + counter libvirt-mss-clamp {} + + chain postrouting { + type filter hook postrouting priority mangle + policy accept + + iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu + } +} \ No newline at end of file -- cgit v1.2.3