-
-
Save thefloweringash/86c2a4d66cecb66b027099b876a6986b to your computer and use it in GitHub Desktop.
sanitised subset of my router configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- dhcpcd-8.0.6/src/duid.c.orig 2019-11-10 23:40:57.191672442 +0900 | |
+++ dhcpcd-8.0.6/src/duid.c 2019-11-10 23:43:33.843257234 +0900 | |
@@ -179,11 +179,6 @@ | |
/* Regardless of what happens we will create a DUID to use. */ | |
*d = data; | |
- /* No file? OK, lets make one based the machines UUID */ | |
- len = duid_make_uuid(data); | |
- if (len > 0) | |
- return len; | |
- | |
/* No UUID? OK, lets make one based on our interface */ | |
if (ifp->hwlen == 0) { | |
logwarnx("%s: does not have hardware address", ifp->name); | |
@@ -206,7 +201,7 @@ | |
logerr("%s", DUID); | |
return duid_make(data, ifp, DUID_LL); | |
} | |
- len = duid_make(data, ifp, DUID_LLT); | |
+ len = duid_make(data, ifp, DUID_LL); | |
x = fprintf(fp, "%s\n", hwaddr_ntoa(data, len, line, sizeof(line))); | |
if (fclose(fp) == EOF) | |
x = -1; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- dhcpcd-8.0.6/src/dhcpcd-definitions.conf.orig 2019-11-10 23:36:20.611937177 +0900 | |
+++ dhcpcd-8.0.6/src/dhcpcd-definitions.conf 2019-11-10 23:36:27.991823369 +0900 | |
@@ -576,8 +576,8 @@ | |
# Section 7 states that clients MUST ignore the option 81 | |
# DHCPv6 SOL_MAX_RT, RFC7083 | |
-define6 82 request uint32 sol_max_rt | |
-define6 83 request uint32 inf_max_rt | |
+define6 82 uint32 sol_max_rt | |
+define6 83 uint32 inf_max_rt | |
# DHCPv6 Softwire Address and Port-Mapped Clients, RFC7598 | |
define6 89 embed s46_rule |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix | |
index 7b278603455..602448b0538 100644 | |
--- a/nixos/modules/services/networking/dhcpcd.nix | |
+++ b/nixos/modules/services/networking/dhcpcd.nix | |
@@ -37,11 +37,11 @@ let | |
dhcpcdConf = pkgs.writeText "dhcpcd.conf" | |
'' | |
# Inform the DHCP server of our hostname for DDNS. | |
- hostname | |
+ # hostname | |
# A list of options to request from the DHCP server. | |
- option domain_name_servers, domain_name, domain_search, host_name | |
- option classless_static_routes, ntp_servers, interface_mtu | |
+ # option domain_name_servers, domain_name, domain_search, host_name | |
+ # option classless_static_routes, ntp_servers, interface_mtu | |
# A ServerID is required by RFC2131. | |
# Commented out because of many non-compliant DHCP servers in the wild :( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ config, lib, pkgs, ... }: | |
let | |
internalIf = "ens224"; | |
upstreamIf = "ens192"; | |
tunnel = { | |
v4 = "1.2.3.4"; | |
v6 = "fd80:fake::1"; | |
br = "fd80:fake::2"; | |
}; | |
configure-map-e = pkgs.writeScriptBin "configure-map-e" '' | |
#!${pkgs.runtimeShell} | |
set -euo pipefail | |
export PATH=${lib.makeBinPath [ pkgs.iproute ]}:$PATH | |
tc qdisc add dev tun0 clsact | |
tc filter add dev tun0 ingress bpf da obj ${bpfProg}/mape.o section ingress | |
tc filter add dev tun0 egress bpf da obj ${bpfProg}/mape.o section egress | |
''; | |
bpfProg = pkgs.callPackage ./nix-mape/bpf.nix { | |
kernel = config.system.build.kernel; | |
}; | |
in | |
{ | |
nixpkgs.overlays = [ (self: super: { | |
dhcpcd = super.dhcpcd.overrideAttrs (attrs: { | |
configureFlags = (attrs.configureFlags or []) ++ [ "--disable-auth" ]; | |
patches = (attrs.patches or []) ++ [ ./dhcpcd-no-default-options.patch ./dhcpcd-ll-duid.patch ]; | |
}); | |
}) ]; | |
networking.firewall.rejectPackets = true; | |
smart-nixos.networking.firewall = { | |
filterForwarding = true; | |
extraForwardCommands = '' | |
ip46tables -A smart-nixos-forward -i ${internalIf} -m conntrack --ctstate NEW -j ACCEPT | |
''; | |
}; | |
boot.kernel.sysctl."net.core.bpf_jit_enable" = 1; | |
networking.useDHCP = true; | |
networking.dhcpcd.enable = true; | |
networking.dhcpcd.extraConfig = '' | |
noipv6rs | |
nodhcp | |
noipv4 | |
interface ${upstreamIf} | |
ipv6rs | |
nooption dhcp6_vivco | |
option dhcp6_rapid_commit | |
ia_pd 1 ${internalIf}/0/64 | |
''; | |
services.radvd.enable = true; | |
services.radvd.config = '' | |
interface ${internalIf} { | |
AdvSendAdvert on; | |
prefix ::/64 {}; | |
}; | |
''; | |
systemd.network = { | |
enable = true; | |
networks.internal = { | |
matchConfig.Name = internalIf; | |
networkConfig.Address = "192.168.0.1/24"; | |
networkConfig.IPForward = "yes"; | |
}; | |
networks.upstream = { | |
matchConfig.Name = upstreamIf; | |
networkConfig.Address = "${tunnel.v6}/128"; | |
networkConfig.IPForward = "ipv6"; | |
networkConfig.Tunnel = "tun0"; | |
}; | |
networks.tunnel = { | |
matchConfig.Name = "tun0"; | |
networkConfig.Address = "${tunnel.v4}/32"; | |
networkConfig.LinkLocalAddressing = "no"; | |
networkConfig.IPForward = "ipv4"; | |
# TODO: networkConfig.DefaultRouteOnDevice = true; | |
extraConfig = '' | |
[Network] | |
DefaultRouteOnDevice = true | |
''; | |
}; | |
netdevs.tun0 = { | |
netdevConfig = { | |
Name = "tun0"; | |
Kind = "ip6tnl"; | |
}; | |
tunnelConfig = { | |
Local = tunnel.v6; | |
Remote = tunnel.br; | |
Mode = "ipip6"; | |
}; | |
}; | |
}; | |
systemd.services.configure-map-e = { | |
serviceConfig.ExecStart = "${configure-map-e}/bin/configure-map-e"; | |
wantedBy = [ "sys-subsystem-net-devices-tun0.device" ]; | |
after = [ "sys-subsystem-net-devices-tun0.device" ]; | |
}; | |
systemd.services.configure-nat = { | |
script = let ports = "50960-51199"; in '' | |
iptables -t nat -p tcp -o tun0 -A POSTROUTING -j MASQUERADE --to-ports ${ports} | |
iptables -t nat -p udp -o tun0 -A POSTROUTING -j MASQUERADE --to-ports ${ports} | |
iptables -t nat -p icmp -o tun0 -A POSTROUTING -j MASQUERADE --to-ports ${ports} | |
''; | |
wantedBy = [ "sys-subsystem-net-devices-tun0.device" ]; | |
after = [ "sys-subsystem-net-devices-tun0.device" ]; | |
path = with pkgs; [ iptables ]; | |
}; | |
systemd.services.systemd-networkd.environment."SYSTEMD_LOG_LEVEL" = "debug"; | |
networking.firewall.extraCommands = '' | |
ip46tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ | |
-j TCPMSS --clamp-mss-to-pmtu | |
''; | |
networking.firewall.extraStopCommands = '' | |
ip46tables -t mangle -F FORWARD | |
''; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment