commit 381ba55f4c1de69450d626c3fa7bfc592b64af15 · kitten.sh/system

+12 -5

modules/router/network.nix

···

       145
       145
        
                   DUIDType = "link-layer";

     

       146
       146
        
                   DUIDRawData = mkIf (extern.adoptMacAddress != null) "00:01:${extern.adoptMacAddress}";

     

       147
       147
        
                 };

     

       148
       148
       +
                 dhcpPrefixDelegationConfig = mkIf cfg.ipv6 {

     

       149
       149
       +
                   UplinkInterface = ":self";

     

       150
       150
       +
                   Announce = false;

     

       151
       151
       +
                 };

     

       148
       152
        
                 ipv6AcceptRAConfig = mkIf cfg.ipv6 {

     

       149
       153
        
                   UseDNS = false;

     

       150
       154
        
                   UseDomains = false;

     
···

       160
       164
        
                   DHCPServer = true;

     

       161
       165
        
                   IPv4Forwarding = true;

     

       162
       166
        
                   IPv6Forwarding = cfg.ipv6;

     

       163
       163
       -
                   IPMasquerade = if cfg.ipv6 then "ipv4" else "both";

     

       167
       167
       +
                   IPMasquerade = "ipv4";

     

       164
       168
        
                   ConfigureWithoutCarrier = true;

     

       165
       169
        
                   MulticastDNS = cfg.mdns;

     

       166
       170
        
                   DHCPPrefixDelegation = cfg.ipv6;

     

       167
       171
        
                   IPv6SendRA = cfg.ipv6;

     

       172
       172
       +
                   IPv6AcceptRA = mkIf cfg.ipv6 false;

     

       168
       173
        
                 };

     

       169
       174
        
                 fairQueueingControlledDelayConfig = {

     

       170
       175
        
                   Parent = "root";

     

       171
       176
        
                 };

     

       177
       177
       +
                 dhcpServerStaticLeases = builtins.map (lease: {

     

       178
       178
       +
                   Address = lease.ipAddress;

     

       179
       179
       +
                   MACAddress = lease.macAddress;

     

       180
       180
       +
                 }) cfg.leases;

     

       172
       181
        
                 dhcpServerConfig = {

     

       173
       182
        
                   EmitDNS = true;

     

       174
       183
        
                   EmitNTP = true;

     
···

       177
       186
        
                   DefaultLeaseTimeSec = 43200;

     

       178
       187
        
                   MaxLeaseTimeSec = 86400;

     

       179
       188
        
                 };

     

       180
       180
       -
                 dhcpServerStaticLeases = builtins.map (lease: {

     

       181
       181
       -
                   Address = lease.ipAddress;

     

       182
       182
       -
                   MACAddress = lease.macAddress;

     

       183
       183
       -
                 }) cfg.leases;

     

       184
       189
        
                 dhcpPrefixDelegationConfig = mkIf cfg.ipv6 {

     

       190
       190
       +
                   UplinkInterface = extern.name;

     

       191
       191
       +
                   Token = "static:::1";

     

       185
       192
        
                   Announce = true;

     

       186
       193
        
                 };

     

       187
       194
        
               };

+9 -16

modules/router/nftables.nix

···

       12
       12
        
       

     

       13
       13
        
         capturePortsRules =

     

       14
       14
        
           strings.concatStringsSep "\n"

     

       15
       15
       -
             (builtins.map (port: "  iifname { ${concatIfnames internalInterfaces} } udp dport ${toString port} redirect to ${toString port}") cfg.nftables.capturePorts);

     

       15
       15
       +
             (builtins.map (port: ''

     

       16
       16
       +
               iifname { ${concatIfnames internalInterfaces} } meta l4proto { tcp, udp } th dport ${toString port} redirect to ${toString port}

     

       17
       17
       +
             '') cfg.nftables.capturePorts);

     

       16
       18
        
       

     

       17
       19
        
         blockForwardRules =

     

       18
       20
        
           if intern != null then

     
···

       64
       66
        
       

     

       65
       67
        
                 chain postrouting {

     

       66
       68
        
                   type nat hook postrouting priority 0; policy accept;

     

       67
       67
       -
                   oifname != { ${concatIfnames trustedInterfaces} } masquerade

     

       69
       69
       +
                   oifname != { ${concatIfnames trustedInterfaces} } meta protocol ip masquerade

     

       68
       70
        
                 }

     

       69
       71
        
       

     

       70
       72
        
                 chain input {

     
···

       128
       130
        
                   ip dscp set cs0

     

       129
       131
        
                   ip6 dscp set cs0

     

       130
       132
        
       

     

       131
       131
       -
                   ip protocol udp udp sport ntp ip dscp set cs5

     

       132
       132
       -
                   ip6 nexthdr udp udp sport ntp ip6 dscp set cs5

     

       133
       133
       +
                   udp sport 53 ip dscp set cs5

     

       134
       134
       +
                   tcp sport 853 ip dscp set cs5

     

       135
       135
       +
                   udp sport 123 ip dscp set cs5

     

       136
       136
       +
                   tcp dport {80, 443} ip dscp set cs3

     

       133
       137
        
       

     

       134
       134
       -
                   ip saddr {1.1.1.1, 1.0.0.1} ip dscp set cs5

     

       135
       135
       -
                   ip daddr {1.1.1.1, 1.0.0.1} ip dscp set cs5

     

       136
       136
       -
       

     

       137
       137
       -
                   tcp dport {http, https} ip dscp set cs3

     

       138
       138
       -
                   tcp sport {http, https} ip dscp set cs3

     

       139
       139
       -
                   ip6 nexthdr tcp tcp dport {http, https} ip6 dscp set cs3

     

       140
       140
       -
                   ip6 nexthdr tcp tcp sport {http, https} ip6 dscp set cs3

     

       141
       141
       -
       

     

       142
       142
       -
                   udp dport 41641 ip dscp set cs4 # tailscale

     

       143
       143
       -
                   udp sport 41641 ip dscp set cs4 # tailscale

     

       144
       144
       -
       

     

       145
       145
       -
                   # mark some VOIP traffic as flash override (low delay)

     

       138
       138
       +
                   udp dport 41641 ip dscp set cs4

     

       146
       139
        
                   udp dport {3478-3479, 19302-19309} ip dscp set cs4

     

       147
       140
        
                   udp sport {3478-3479, 19302-19309} ip dscp set cs4

     

       148
       141
        
                   ip6 nexthdr udp udp dport {3478-3479, 19302-19309} ip6 dscp set cs4