Skip to content

Instantly share code, notes, and snippets.

@thefloweringash

thefloweringash/dhcpcd-ll-duid.patch Secret

Created November 10, 2019 17:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thefloweringash/86c2a4d66cecb66b027099b876a6986b to your computer and use it in GitHub Desktop.
Save thefloweringash/86c2a4d66cecb66b027099b876a6986b to your computer and use it in GitHub Desktop.
Download ZIP
sanitised subset of my router configuration
Raw
dhcpcd-ll-duid.patch
--- dhcpcd-8.0.6/src/duid.c.orig 2019-11-10 23:40:57.191672442 +0900
+++ dhcpcd-8.0.6/src/duid.c 2019-11-10 23:43:33.843257234 +0900
@@ -179,11 +179,6 @@
/* Regardless of what happens we will create a DUID to use. */
*d = data;
- /* No file? OK, lets make one based the machines UUID */
- len = duid_make_uuid(data);
- if (len > 0)
- return len;
-
/* No UUID? OK, lets make one based on our interface */
if (ifp->hwlen == 0) {
logwarnx("%s: does not have hardware address", ifp->name);
@@ -206,7 +201,7 @@
logerr("%s", DUID);
return duid_make(data, ifp, DUID_LL);
}
- len = duid_make(data, ifp, DUID_LLT);
+ len = duid_make(data, ifp, DUID_LL);
x = fprintf(fp, "%s\n", hwaddr_ntoa(data, len, line, sizeof(line)));
if (fclose(fp) == EOF)
x = -1;
Raw
dhcpcd-no-default-options.patch
--- dhcpcd-8.0.6/src/dhcpcd-definitions.conf.orig 2019-11-10 23:36:20.611937177 +0900
+++ dhcpcd-8.0.6/src/dhcpcd-definitions.conf 2019-11-10 23:36:27.991823369 +0900
@@ -576,8 +576,8 @@
# Section 7 states that clients MUST ignore the option 81
# DHCPv6 SOL_MAX_RT, RFC7083
-define6 82 request uint32 sol_max_rt
-define6 83 request uint32 inf_max_rt
+define6 82 uint32 sol_max_rt
+define6 83 uint32 inf_max_rt
# DHCPv6 Softwire Address and Port-Mapped Clients, RFC7598
define6 89 embed s46_rule
Raw
nixpkgs-hacks.patch
diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
index 7b278603455..602448b0538 100644
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@@ -37,11 +37,11 @@ let
dhcpcdConf = pkgs.writeText "dhcpcd.conf"
''
# Inform the DHCP server of our hostname for DDNS.
- hostname
+ # hostname
# A list of options to request from the DHCP server.
- option domain_name_servers, domain_name, domain_search, host_name
- option classless_static_routes, ntp_servers, interface_mtu
+ # option domain_name_servers, domain_name, domain_search, host_name
+ # option classless_static_routes, ntp_servers, interface_mtu
# A ServerID is required by RFC2131.
# Commented out because of many non-compliant DHCP servers in the wild :(
Raw
router.nix
{ config, lib, pkgs, ... }:
let
internalIf = "ens224";
upstreamIf = "ens192";
tunnel = {
v4 = "1.2.3.4";
v6 = "fd80:fake::1";
br = "fd80:fake::2";
};
configure-map-e = pkgs.writeScriptBin "configure-map-e" ''
#!${pkgs.runtimeShell}
set -euo pipefail
export PATH=${lib.makeBinPath [ pkgs.iproute ]}:$PATH
tc qdisc add dev tun0 clsact
tc filter add dev tun0 ingress bpf da obj ${bpfProg}/mape.o section ingress
tc filter add dev tun0 egress bpf da obj ${bpfProg}/mape.o section egress
'';
bpfProg = pkgs.callPackage ./nix-mape/bpf.nix {
kernel = config.system.build.kernel;
};
in
{
nixpkgs.overlays = [ (self: super: {
dhcpcd = super.dhcpcd.overrideAttrs (attrs: {
configureFlags = (attrs.configureFlags or []) ++ [ "--disable-auth" ];
patches = (attrs.patches or []) ++ [ ./dhcpcd-no-default-options.patch ./dhcpcd-ll-duid.patch ];
});
}) ];
networking.firewall.rejectPackets = true;
smart-nixos.networking.firewall = {
filterForwarding = true;
extraForwardCommands = ''
ip46tables -A smart-nixos-forward -i ${internalIf} -m conntrack --ctstate NEW -j ACCEPT
'';
};
boot.kernel.sysctl."net.core.bpf_jit_enable" = 1;
networking.useDHCP = true;
networking.dhcpcd.enable = true;
networking.dhcpcd.extraConfig = ''
noipv6rs
nodhcp
noipv4
interface ${upstreamIf}
ipv6rs
nooption dhcp6_vivco
option dhcp6_rapid_commit
ia_pd 1 ${internalIf}/0/64
'';
services.radvd.enable = true;
services.radvd.config = ''
interface ${internalIf} {
AdvSendAdvert on;
prefix ::/64 {};
};
'';
systemd.network = {
enable = true;
networks.internal = {
matchConfig.Name = internalIf;
networkConfig.Address = "192.168.0.1/24";
networkConfig.IPForward = "yes";
};
networks.upstream = {
matchConfig.Name = upstreamIf;
networkConfig.Address = "${tunnel.v6}/128";
networkConfig.IPForward = "ipv6";
networkConfig.Tunnel = "tun0";
};
networks.tunnel = {
matchConfig.Name = "tun0";
networkConfig.Address = "${tunnel.v4}/32";
networkConfig.LinkLocalAddressing = "no";
networkConfig.IPForward = "ipv4";
# TODO: networkConfig.DefaultRouteOnDevice = true;
extraConfig = ''
[Network]
DefaultRouteOnDevice = true
'';
};
netdevs.tun0 = {
netdevConfig = {
Name = "tun0";
Kind = "ip6tnl";
};
tunnelConfig = {
Local = tunnel.v6;
Remote = tunnel.br;
Mode = "ipip6";
};
};
};
systemd.services.configure-map-e = {
serviceConfig.ExecStart = "${configure-map-e}/bin/configure-map-e";
wantedBy = [ "sys-subsystem-net-devices-tun0.device" ];
after = [ "sys-subsystem-net-devices-tun0.device" ];
};
systemd.services.configure-nat = {
script = let ports = "50960-51199"; in ''
iptables -t nat -p tcp -o tun0 -A POSTROUTING -j MASQUERADE --to-ports ${ports}
iptables -t nat -p udp -o tun0 -A POSTROUTING -j MASQUERADE --to-ports ${ports}
iptables -t nat -p icmp -o tun0 -A POSTROUTING -j MASQUERADE --to-ports ${ports}
'';
wantedBy = [ "sys-subsystem-net-devices-tun0.device" ];
after = [ "sys-subsystem-net-devices-tun0.device" ];
path = with pkgs; [ iptables ];
};
systemd.services.systemd-networkd.environment."SYSTEMD_LOG_LEVEL" = "debug";
networking.firewall.extraCommands = ''
ip46tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
'';
networking.firewall.extraStopCommands = ''
ip46tables -t mangle -F FORWARD
'';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment