pyrox.dev / nixpkgs
lol
fork atom

nixos/networking: add foo-over-udp endpoint support

allows configuration of foo-over-udp decapsulation endpoints. sadly networkd
seems to lack the features necessary to support local and peer address
configuration, so those are only supported when using scripted configuration.

pennae f29ea2d1 eebfe719

options
unified split
Changed files
+211 -1
nixos
doc
manual
from_md
release-notes
rl-2111.section.xml
release-notes
rl-2111.section.md
modules
system
boot
networkd.nix
tasks
network-interfaces-scripted.nix
network-interfaces-systemd.nix
network-interfaces.nix
tests
networking.nix
+13
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml 
···

       
1535

       
1535

       
 

       
          release notes</link> for changes and upgrade instructions.


     

       
1536

       
1536

       
 

       
        </para>


     

       
1537

       
1537

       
 

       
      </listitem>


     

       

       
1538

       
+

       
      <listitem>


     

       

       
1539

       
+

       
        <para>


     

       

       
1540

       
+

       
          The <literal>systemd.network</literal> module has gained


     

       

       
1541

       
+

       
          support for the FooOverUDP link type.


     

       

       
1542

       
+

       
        </para>


     

       

       
1543

       
+

       
      </listitem>


     

       

       
1544

       
+

       
      <listitem>


     

       

       
1545

       
+

       
        <para>


     

       

       
1546

       
+

       
          The <literal>networking</literal> module has a new


     

       

       
1547

       
+

       
          <literal>networking.fooOverUDP</literal> option to configure


     

       

       
1548

       
+

       
          Foo-over-UDP encapsulations.


     

       

       
1549

       
+

       
        </para>


     

       

       
1550

       
+

       
      </listitem>


     

       
1538

       
1551

       
 

       
    </itemizedlist>


     

       
1539

       
1552

       
 

       
  </section>


     

       
1540

       
1553

       
 

       
</section>
+4
nixos/doc/manual/release-notes/rl-2111.section.md 
···

       
443

       
443

       
 

       
- Three new options, [xdg.mime.addedAssociations](#opt-xdg.mime.addedAssociations), [xdg.mime.defaultApplications](#opt-xdg.mime.defaultApplications), and [xdg.mime.removedAssociations](#opt-xdg.mime.removedAssociations) have been added to the [xdg.mime](#opt-xdg.mime.enable) module to allow the configuration of `/etc/xdg/mimeapps.list`.


     

       
444

       
444

       
 

       



     

       
445

       
445

       
 

       
- Kopia was upgraded from 0.8.x to 0.9.x. Please read the [upstream release notes](https://github.com/kopia/kopia/releases/tag/v0.9.0) for changes and upgrade instructions.


     

       

       
446

       
+

       



     

       

       
447

       
+

       
- The `systemd.network` module has gained support for the FooOverUDP link type.


     

       

       
448

       
+

       



     

       

       
449

       
+

       
- The `networking` module has a new `networking.fooOverUDP` option to configure Foo-over-UDP encapsulations.
+26
nixos/modules/system/boot/networkd.nix 
···

       
250

       
250

       
 

       
        (assertRange "ERSPANIndex" 1 1048575)


     

       
251

       
251

       
 

       
      ];


     

       
252

       
252

       
 

       



     

       

       
253

       
+

       
      sectionFooOverUDP = checkUnitConfig "FooOverUDP" [


     

       

       
254

       
+

       
        (assertOnlyFields [


     

       

       
255

       
+

       
          "Port"


     

       

       
256

       
+

       
          "Encapsulation"


     

       

       
257

       
+

       
          "Protocol"


     

       

       
258

       
+

       
        ])


     

       

       
259

       
+

       
        (assertPort "Port")


     

       

       
260

       
+

       
        (assertValueOneOf "Encapsulation" ["FooOverUDP" "GenericUDPEncapsulation"])


     

       

       
261

       
+

       
      ];


     

       

       
262

       
+

       



     

       
253

       
263

       
 

       
      sectionPeer = checkUnitConfig "Peer" [


     

       
254

       
264

       
 

       
        (assertOnlyFields [


     

       
255

       
265

       
 

       
          "Name"


     
···

       
919

       
929

       
 

       
      '';


     

       
920

       
930

       
 

       
    };


     

       
921

       
931

       
 

       



     

       

       
932

       
+

       
    fooOverUDPConfig = mkOption {


     

       

       
933

       
+

       
      default = { };


     

       

       
934

       
+

       
      example = { Port = 9001; };


     

       

       
935

       
+

       
      type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionFooOverUDP;


     

       

       
936

       
+

       
      description = ''


     

       

       
937

       
+

       
        Each attribute in this set specifies an option in the


     

       

       
938

       
+

       
        <literal>[FooOverUDP]</literal> section of the unit.  See


     

       

       
939

       
+

       
        <citerefentry><refentrytitle>systemd.netdev</refentrytitle>


     

       

       
940

       
+

       
        <manvolnum>5</manvolnum></citerefentry> for details.


     

       

       
941

       
+

       
      '';


     

       

       
942

       
+

       
    };


     

       

       
943

       
+

       



     

       
922

       
944

       
 

       
    peerConfig = mkOption {


     

       
923

       
945

       
 

       
      default = {};


     

       
924

       
946

       
 

       
      example = { Name = "veth2"; };


     
···

       
1448

       
1470

       
 

       
        + optionalString (def.tunnelConfig != { }) ''


     

       
1449

       
1471

       
 

       
          [Tunnel]


     

       
1450

       
1472

       
 

       
          ${attrsToSection def.tunnelConfig}


     

       

       
1473

       
+

       
        ''


     

       

       
1474

       
+

       
        + optionalString (def.fooOverUDPConfig != { }) ''


     

       

       
1475

       
+

       
          [FooOverUDP]


     

       

       
1476

       
+

       
          ${attrsToSection def.fooOverUDPConfig}


     

       
1451

       
1477

       
 

       
        ''


     

       
1452

       
1478

       
 

       
        + optionalString (def.peerConfig != { }) ''


     

       
1453

       
1479

       
 

       
          [Peer]
+34
nixos/modules/tasks/network-interfaces-scripted.nix 
···

       
466

       
466

       
 

       
            '';


     

       
467

       
467

       
 

       
          });


     

       
468

       
468

       
 

       



     

       

       
469

       
+

       
        createFouEncapsulation = n: v: nameValuePair "${n}-fou-encap"


     

       

       
470

       
+

       
          (let


     

       

       
471

       
+

       
            # if we have a device to bind to we can wait for its addresses to be


     

       

       
472

       
+

       
            # configured, otherwise external sequencing is required.


     

       

       
473

       
+

       
            deps = optionals (v.local != null && v.local.dev != null)


     

       

       
474

       
+

       
              (deviceDependency v.local.dev ++ [ "network-addresses-${v.local.dev}.service" ]);


     

       

       
475

       
+

       
            fouSpec = "port ${toString v.port} ${


     

       

       
476

       
+

       
              if v.protocol != null then "ipproto ${toString v.protocol}" else "gue"


     

       

       
477

       
+

       
            } ${


     

       

       
478

       
+

       
              optionalString (v.local != null) "local ${escapeShellArg v.local.address} ${


     

       

       
479

       
+

       
                optionalString (v.local.dev != null) "dev ${escapeShellArg v.local.dev}"


     

       

       
480

       
+

       
              }"


     

       

       
481

       
+

       
            }";


     

       

       
482

       
+

       
          in


     

       

       
483

       
+

       
          { description = "FOU endpoint ${n}";


     

       

       
484

       
+

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     

       

       
485

       
+

       
            bindsTo = deps;


     

       

       
486

       
+

       
            partOf = [ "network-setup.service" ];


     

       

       
487

       
+

       
            after = [ "network-pre.target" ] ++ deps;


     

       

       
488

       
+

       
            before = [ "network-setup.service" ];


     

       

       
489

       
+

       
            serviceConfig.Type = "oneshot";


     

       

       
490

       
+

       
            serviceConfig.RemainAfterExit = true;


     

       

       
491

       
+

       
            path = [ pkgs.iproute2 ];


     

       

       
492

       
+

       
            script = ''


     

       

       
493

       
+

       
              # always remove previous incarnation since show can't filter


     

       

       
494

       
+

       
              ip fou del ${fouSpec} >/dev/null 2>&1 || true


     

       

       
495

       
+

       
              ip fou add ${fouSpec}


     

       

       
496

       
+

       
            '';


     

       

       
497

       
+

       
            postStop = ''


     

       

       
498

       
+

       
              ip fou del ${fouSpec} || true


     

       

       
499

       
+

       
            '';


     

       

       
500

       
+

       
          });


     

       

       
501

       
+

       



     

       
469

       
502

       
 

       
        createSitDevice = n: v: nameValuePair "${n}-netdev"


     

       
470

       
503

       
 

       
          (let


     

       
471

       
504

       
 

       
            deps = deviceDependency v.dev;


     
···

       
530

       
563

       
 

       
         // mapAttrs' createVswitchDevice cfg.vswitches


     

       
531

       
564

       
 

       
         // mapAttrs' createBondDevice cfg.bonds


     

       
532

       
565

       
 

       
         // mapAttrs' createMacvlanDevice cfg.macvlans


     

       

       
566

       
+

       
         // mapAttrs' createFouEncapsulation cfg.fooOverUDP


     

       
533

       
567

       
 

       
         // mapAttrs' createSitDevice cfg.sits


     

       
534

       
568

       
 

       
         // mapAttrs' createVlanDevice cfg.vlans


     

       
535

       
569

       
 

       
         // {
+20
nixos/modules/tasks/network-interfaces-systemd.nix 
···

       
47

       
47

       
 

       
    } ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: {


     

       
48

       
48

       
 

       
      assertion = !rstp;


     

       
49

       
49

       
 

       
      message = "networking.bridges.${n}.rstp is not supported by networkd.";


     

       

       
50

       
+

       
    }) ++ flip mapAttrsToList cfg.fooOverUDP (n: { local, ... }: {


     

       

       
51

       
+

       
      assertion = local == null;


     

       

       
52

       
+

       
      message = "networking.fooOverUDP.${n}.local is not supported by networkd.";


     

       
50

       
53

       
 

       
    });


     

       
51

       
54

       
 

       



     

       
52

       
55

       
 

       
    networking.dhcpcd.enable = mkDefault false;


     
···

       
193

       
196

       
 

       
        networks."40-${macvlan.interface}" = (mkMerge [ (genericNetwork (mkOverride 999)) {


     

       
194

       
197

       
 

       
          macvlan = [ name ];


     

       
195

       
198

       
 

       
        } ]);


     

       

       
199

       
+

       
      })))


     

       

       
200

       
+

       
      (mkMerge (flip mapAttrsToList cfg.fooOverUDP (name: fou: {


     

       

       
201

       
+

       
        netdevs."40-${name}" = {


     

       

       
202

       
+

       
          netdevConfig = {


     

       

       
203

       
+

       
            Name = name;


     

       

       
204

       
+

       
            Kind = "fou";


     

       

       
205

       
+

       
          };


     

       

       
206

       
+

       
          # unfortunately networkd cannot encode dependencies of netdevs on addresses/routes,


     

       

       
207

       
+

       
          # so we cannot specify Local=, Peer=, PeerPort=. this looks like a missing feature


     

       

       
208

       
+

       
          # in networkd.


     

       

       
209

       
+

       
          fooOverUDPConfig = {


     

       

       
210

       
+

       
            Port = fou.port;


     

       

       
211

       
+

       
            Encapsulation = if fou.protocol != null then "FooOverUDP" else "GenericUDPEncapsulation";


     

       

       
212

       
+

       
          } // (optionalAttrs (fou.protocol != null) {


     

       

       
213

       
+

       
            Protocol = fou.protocol;


     

       

       
214

       
+

       
          });


     

       

       
215

       
+

       
        };


     

       
196

       
216

       
 

       
      })))


     

       
197

       
217

       
 

       
      (mkMerge (flip mapAttrsToList cfg.sits (name: sit: {


     

       
198

       
218

       
 

       
        netdevs."40-${name}" = {
+68 -1
nixos/modules/tasks/network-interfaces.nix 
···

       
10

       
10

       
 

       
  hasVirtuals = any (i: i.virtual) interfaces;


     

       
11

       
11

       
 

       
  hasSits = cfg.sits != { };


     

       
12

       
12

       
 

       
  hasBonds = cfg.bonds != { };


     

       

       
13

       
+

       
  hasFous = cfg.fooOverUDP != { };


     

       
13

       
14

       
 

       



     

       
14

       
15

       
 

       
  slaves = concatMap (i: i.interfaces) (attrValues cfg.bonds)


     

       
15

       
16

       
 

       
    ++ concatMap (i: i.interfaces) (attrValues cfg.bridges)


     
···

       
823

       
824

       
 

       
      });


     

       
824

       
825

       
 

       
    };


     

       
825

       
826

       
 

       



     

       

       
827

       
+

       
    networking.fooOverUDP = mkOption {


     

       

       
828

       
+

       
      default = { };


     

       

       
829

       
+

       
      example =


     

       

       
830

       
+

       
        {


     

       

       
831

       
+

       
          primary = { port = 9001; local = { address = "192.0.2.1"; dev = "eth0"; }; };


     

       

       
832

       
+

       
          backup =  { port = 9002; };


     

       

       
833

       
+

       
        };


     

       

       
834

       
+

       
      description = ''


     

       

       
835

       
+

       
        This option allows you to configure Foo Over UDP and Generic UDP Encapsulation


     

       

       
836

       
+

       
        endpoints. See <citerefentry><refentrytitle>ip-fou</refentrytitle>


     

       

       
837

       
+

       
        <manvolnum>8</manvolnum></citerefentry> for details.


     

       

       
838

       
+

       
      '';


     

       

       
839

       
+

       
      type = with types; attrsOf (submodule {


     

       

       
840

       
+

       
        options = {


     

       

       
841

       
+

       
          port = mkOption {


     

       

       
842

       
+

       
            type = port;


     

       

       
843

       
+

       
            description = ''


     

       

       
844

       
+

       
              Local port of the encapsulation UDP socket.


     

       

       
845

       
+

       
            '';


     

       

       
846

       
+

       
          };


     

       

       
847

       
+

       



     

       

       
848

       
+

       
          protocol = mkOption {


     

       

       
849

       
+

       
            type = nullOr (ints.between 1 255);


     

       

       
850

       
+

       
            default = null;


     

       

       
851

       
+

       
            description = ''


     

       

       
852

       
+

       
              Protocol number of the encapsulated packets. Specifying <literal>null</literal>


     

       

       
853

       
+

       
              (the default) creates a GUE endpoint, specifying a protocol number will create


     

       

       
854

       
+

       
              a FOU endpoint.


     

       

       
855

       
+

       
            '';


     

       

       
856

       
+

       
          };


     

       

       
857

       
+

       



     

       

       
858

       
+

       
          local = mkOption {


     

       

       
859

       
+

       
            type = nullOr (submodule {


     

       

       
860

       
+

       
              options = {


     

       

       
861

       
+

       
                address = mkOption {


     

       

       
862

       
+

       
                  type = types.str;


     

       

       
863

       
+

       
                  description = ''


     

       

       
864

       
+

       
                    Local address to bind to. The address must be available when the FOU


     

       

       
865

       
+

       
                    endpoint is created, using the scripted network setup this can be achieved


     

       

       
866

       
+

       
                    either by setting <literal>dev</literal> or adding dependency information to


     

       

       
867

       
+

       
                    <literal>systemd.services.&lt;name&gt;-fou-encap</literal>; it isn't supported


     

       

       
868

       
+

       
                    when using networkd.


     

       

       
869

       
+

       
                  '';


     

       

       
870

       
+

       
                };


     

       

       
871

       
+

       



     

       

       
872

       
+

       
                dev = mkOption {


     

       

       
873

       
+

       
                  type = nullOr str;


     

       

       
874

       
+

       
                  default = null;


     

       

       
875

       
+

       
                  example = "eth0";


     

       

       
876

       
+

       
                  description = ''


     

       

       
877

       
+

       
                    Network device to bind to.


     

       

       
878

       
+

       
                  '';


     

       

       
879

       
+

       
                };


     

       

       
880

       
+

       
              };


     

       

       
881

       
+

       
            });


     

       

       
882

       
+

       
            default = null;


     

       

       
883

       
+

       
            example = { address = "203.0.113.22"; };


     

       

       
884

       
+

       
            description = ''


     

       

       
885

       
+

       
              Local address (and optionally device) to bind to using the given port.


     

       

       
886

       
+

       
            '';


     

       

       
887

       
+

       
          };


     

       

       
888

       
+

       
        };


     

       

       
889

       
+

       
      });


     

       

       
890

       
+

       
    };


     

       

       
891

       
+

       



     

       
826

       
892

       
 

       
    networking.sits = mkOption {


     

       
827

       
893

       
 

       
      default = { };


     

       
828

       
894

       
 

       
      example = literalExpression ''


     
···

       
1116

       
1182

       
 

       
    boot.kernelModules = [ ]


     

       
1117

       
1183

       
 

       
      ++ optional hasVirtuals "tun"


     

       
1118

       
1184

       
 

       
      ++ optional hasSits "sit"


     

       
1119

       

       
-

       
      ++ optional hasBonds "bonding";


     

       

       
1185

       
+

       
      ++ optional hasBonds "bonding"


     

       

       
1186

       
+

       
      ++ optional hasFous "fou";


     

       
1120

       
1187

       
 

       



     

       
1121

       
1188

       
 

       
    boot.extraModprobeConfig =


     

       
1122

       
1189

       
 

       
      # This setting is intentional as it prevents default bond devices
+46
nixos/tests/networking.nix 
···

       
380

       
380

       
 

       
              router.wait_until_succeeds("ping -c 1 192.168.1.3")


     

       
381

       
381

       
 

       
        '';


     

       
382

       
382

       
 

       
    };


     

       

       
383

       
+

       
    fou = {


     

       

       
384

       
+

       
      name = "foo-over-udp";


     

       

       
385

       
+

       
      nodes.machine = { ... }: {


     

       

       
386

       
+

       
        virtualisation.vlans = [ 1 ];


     

       

       
387

       
+

       
        networking = {


     

       

       
388

       
+

       
          useNetworkd = networkd;


     

       

       
389

       
+

       
          useDHCP = false;


     

       

       
390

       
+

       
          interfaces.eth1.ipv4.addresses = mkOverride 0


     

       

       
391

       
+

       
            [ { address = "192.168.1.1"; prefixLength = 24; } ];


     

       

       
392

       
+

       
          fooOverUDP = {


     

       

       
393

       
+

       
            fou1 = { port = 9001; };


     

       

       
394

       
+

       
            fou2 = { port = 9002; protocol = 41; };


     

       

       
395

       
+

       
            fou3 = mkIf (!networkd)


     

       

       
396

       
+

       
              { port = 9003; local.address = "192.168.1.1"; };


     

       

       
397

       
+

       
            fou4 = mkIf (!networkd)


     

       

       
398

       
+

       
              { port = 9004; local = { address = "192.168.1.1"; dev = "eth1"; }; };


     

       

       
399

       
+

       
          };


     

       

       
400

       
+

       
        };


     

       

       
401

       
+

       
        systemd.services = {


     

       

       
402

       
+

       
          fou3-fou-encap.after = optional (!networkd) "network-addresses-eth1.service";


     

       

       
403

       
+

       
        };


     

       

       
404

       
+

       
      };


     

       

       
405

       
+

       
      testScript = { ... }:


     

       

       
406

       
+

       
        ''


     

       

       
407

       
+

       
          import json


     

       

       
408

       
+

       



     

       

       
409

       
+

       
          machine.wait_for_unit("network.target")


     

       

       
410

       
+

       
          fous = json.loads(machine.succeed("ip -json fou show"))


     

       

       
411

       
+

       
          assert {"port": 9001, "gue": None, "family": "inet"} in fous, "fou1 exists"


     

       

       
412

       
+

       
          assert {"port": 9002, "ipproto": 41, "family": "inet"} in fous, "fou2 exists"


     

       

       
413

       
+

       
        '' + optionalString (!networkd) ''


     

       

       
414

       
+

       
          assert {


     

       

       
415

       
+

       
              "port": 9003,


     

       

       
416

       
+

       
              "gue": None,


     

       

       
417

       
+

       
              "family": "inet",


     

       

       
418

       
+

       
              "local": "192.168.1.1",


     

       

       
419

       
+

       
          } in fous, "fou3 exists"


     

       

       
420

       
+

       
          assert {


     

       

       
421

       
+

       
              "port": 9004,


     

       

       
422

       
+

       
              "gue": None,


     

       

       
423

       
+

       
              "family": "inet",


     

       

       
424

       
+

       
              "local": "192.168.1.1",


     

       

       
425

       
+

       
              "dev": "eth1",


     

       

       
426

       
+

       
          } in fous, "fou4 exists"


     

       

       
427

       
+

       
        '';


     

       

       
428

       
+

       
    };


     

       
383

       
429

       
 

       
    sit = let


     

       
384

       
430

       
 

       
      node = { address4, remote, address6 }: { pkgs, ... }: with pkgs.lib; {


     

       
385

       
431

       
 

       
        virtualisation.vlans = [ 1 ];