2018-05-05 08:33:20 +03:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.ndppd;
|
|
|
|
|
|
2019-02-02 15:37:48 +01:00
|
|
|
render = s: f: concatStringsSep "\n" (mapAttrsToList f s);
|
|
|
|
|
prefer = a: b: if a != null then a else b;
|
|
|
|
|
|
|
|
|
|
ndppdConf = prefer cfg.configFile (pkgs.writeText "ndppd.conf" ''
|
|
|
|
|
route-ttl ${toString cfg.routeTTL}
|
|
|
|
|
${render cfg.proxies (proxyInterfaceName: proxy: ''
|
|
|
|
|
proxy ${prefer proxy.interface proxyInterfaceName} {
|
|
|
|
|
router ${boolToString proxy.router}
|
|
|
|
|
timeout ${toString proxy.timeout}
|
|
|
|
|
ttl ${toString proxy.ttl}
|
|
|
|
|
${render proxy.rules (ruleNetworkName: rule: ''
|
|
|
|
|
rule ${prefer rule.network ruleNetworkName} {
|
|
|
|
|
${rule.method}${if rule.method == "iface" then " ${rule.interface}" else ""}
|
|
|
|
|
}'')}
|
|
|
|
|
}'')}
|
|
|
|
|
'');
|
|
|
|
|
|
|
|
|
|
proxy = types.submodule {
|
|
|
|
|
options = {
|
2018-05-05 08:33:20 +03:00
|
|
|
interface = mkOption {
|
2019-02-02 15:37:48 +01:00
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
Listen for any Neighbor Solicitation messages on this interface,
|
|
|
|
|
and respond to them according to a set of rules.
|
|
|
|
|
Defaults to the name of the attrset.
|
|
|
|
|
'';
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
router = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Turns on or off the router flag for Neighbor Advertisement Messages.
|
|
|
|
|
'';
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
timeout = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
description = ''
|
2020-04-02 07:39:04 +02:00
|
|
|
Controls how long to wait for a Neighbor Advertisment Message before
|
2019-02-02 15:37:48 +01:00
|
|
|
invalidating the entry, in milliseconds.
|
|
|
|
|
'';
|
|
|
|
|
default = 500;
|
|
|
|
|
};
|
|
|
|
|
ttl = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
description = ''
|
2020-04-02 07:39:04 +02:00
|
|
|
Controls how long a valid or invalid entry remains in the cache, in
|
2019-02-02 15:37:48 +01:00
|
|
|
milliseconds.
|
|
|
|
|
'';
|
|
|
|
|
default = 30000;
|
2018-05-05 08:33:20 +03:00
|
|
|
};
|
2019-02-02 15:37:48 +01:00
|
|
|
rules = mkOption {
|
|
|
|
|
type = types.attrsOf rule;
|
|
|
|
|
description = ''
|
|
|
|
|
This is a rule that the target address is to match against. If no netmask
|
|
|
|
|
is provided, /128 is assumed. You may have several rule sections, and the
|
|
|
|
|
addresses may or may not overlap.
|
|
|
|
|
'';
|
|
|
|
|
default = {};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
rule = types.submodule {
|
|
|
|
|
options = {
|
2018-05-05 08:33:20 +03:00
|
|
|
network = mkOption {
|
2019-02-02 15:37:48 +01:00
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
This is the target address is to match against. If no netmask
|
|
|
|
|
is provided, /128 is assumed. The addresses of serveral rules
|
|
|
|
|
may or may not overlap.
|
|
|
|
|
Defaults to the name of the attrset.
|
|
|
|
|
'';
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
method = mkOption {
|
|
|
|
|
type = types.enum [ "static" "iface" "auto" ];
|
|
|
|
|
description = ''
|
|
|
|
|
static: Immediately answer any Neighbor Solicitation Messages
|
|
|
|
|
(if they match the IP rule).
|
|
|
|
|
iface: Forward the Neighbor Solicitation Message through the specified
|
|
|
|
|
interface and only respond if a matching Neighbor Advertisement
|
|
|
|
|
Message is received.
|
|
|
|
|
auto: Same as iface, but instead of manually specifying the outgoing
|
|
|
|
|
interface, check for a matching route in /proc/net/ipv6_route.
|
|
|
|
|
'';
|
|
|
|
|
default = "auto";
|
2018-05-05 08:33:20 +03:00
|
|
|
};
|
2019-02-02 15:37:48 +01:00
|
|
|
interface = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = "Interface to use when method is iface.";
|
2018-05-05 08:33:20 +03:00
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2019-02-02 15:37:48 +01:00
|
|
|
in {
|
|
|
|
|
options.services.ndppd = {
|
|
|
|
|
enable = mkEnableOption "daemon that proxies NDP (Neighbor Discovery Protocol) messages between interfaces";
|
|
|
|
|
interface = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
Interface which is on link-level with router.
|
|
|
|
|
(Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)
|
|
|
|
|
'';
|
|
|
|
|
default = null;
|
|
|
|
|
example = "eth0";
|
|
|
|
|
};
|
|
|
|
|
network = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
Network that we proxy.
|
|
|
|
|
(Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)
|
|
|
|
|
'';
|
|
|
|
|
default = null;
|
|
|
|
|
example = "1111::/64";
|
|
|
|
|
};
|
|
|
|
|
configFile = mkOption {
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
description = "Path to configuration file.";
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
routeTTL = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
description = ''
|
|
|
|
|
This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route,
|
|
|
|
|
in milliseconds.
|
|
|
|
|
'';
|
|
|
|
|
default = 30000;
|
|
|
|
|
};
|
|
|
|
|
proxies = mkOption {
|
|
|
|
|
type = types.attrsOf proxy;
|
|
|
|
|
description = ''
|
|
|
|
|
This sets up a listener, that will listen for any Neighbor Solicitation
|
|
|
|
|
messages, and respond to them according to a set of rules.
|
|
|
|
|
'';
|
|
|
|
|
default = {};
|
2020-04-02 07:39:04 +02:00
|
|
|
example = literalExample ''
|
|
|
|
|
{
|
|
|
|
|
eth0.rules."1111::/64" = {};
|
|
|
|
|
}
|
|
|
|
|
'';
|
2019-02-02 15:37:48 +01:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-05 08:33:20 +03:00
|
|
|
config = mkIf cfg.enable {
|
2019-02-02 15:37:48 +01:00
|
|
|
warnings = mkIf (cfg.interface != null && cfg.network != null) [ ''
|
|
|
|
|
The options services.ndppd.interface and services.ndppd.network will probably be removed soon,
|
|
|
|
|
please use services.ndppd.proxies.<interface>.rules.<network> instead.
|
|
|
|
|
'' ];
|
|
|
|
|
|
|
|
|
|
services.ndppd.proxies = mkIf (cfg.interface != null && cfg.network != null) {
|
2019-08-13 21:52:01 +00:00
|
|
|
${cfg.interface}.rules.${cfg.network} = {};
|
2019-02-02 15:37:48 +01:00
|
|
|
};
|
|
|
|
|
|
2018-05-05 08:33:20 +03:00
|
|
|
systemd.services.ndppd = {
|
2019-02-03 14:37:55 +01:00
|
|
|
description = "NDP Proxy Daemon";
|
|
|
|
|
documentation = [ "man:ndppd(1)" "man:ndppd.conf(5)" ];
|
2019-02-02 15:37:48 +01:00
|
|
|
after = [ "network-pre.target" ];
|
2018-05-05 08:33:20 +03:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
2019-11-29 17:46:35 +01:00
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}";
|
|
|
|
|
|
|
|
|
|
# Sandboxing
|
|
|
|
|
CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
|
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
|
ProtectHome = true;
|
|
|
|
|
PrivateTmp = true;
|
|
|
|
|
PrivateDevices = true;
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
RestrictAddressFamilies = "AF_INET6 AF_PACKET AF_NETLINK";
|
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
LockPersonality = true;
|
|
|
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
|
RestrictRealtime = true;
|
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
|
};
|
2018-05-05 08:33:20 +03:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
