add service to enable packet forwarding

might be worth looking into adding RA config to this
2023-09-01 17:34:47 +01:00 · 2023-09-01 17:34:47 +01:00 · 7ad848cb77
commit 7ad848cb77
parent ef666c34cd
5 changed files with 40 additions and 27 deletions
--- a/examples/extneder.nix
+++ b/examples/extneder.nix
@ -43,7 +43,9 @@ in rec {
      IP6_NF_IPTABLES = "y"; # do we still need these
      IP_NF_IPTABLES = "y"; # if using nftables directly

-      # these are copied from rotuer and need review
+      # these are copied from rotuer and need review.
+      # we're not running a firewall, so why do we need
+      # nftables config?
      IP_NF_NAT = "y";
      IP_NF_TARGET_MASQUERADE = "y";
      NETFILTER = "y";
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -156,22 +156,7 @@ in rec {
    ruleset = import ./rotuer-firewall.nix;
  };

-  services.packet_forwarding =
-    let
-      ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
-      ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
-    in oneshot {
-      name = "let-the-ip-flow";
-      up = ''
-        echo 1 > ${ip4}
-        echo 1 > ${ip6}
-      '';
-      down = ''
-        echo 0 > ${ip4};
-        echo 0 > ${ip6};
-      '';
-      dependencies = [ services.firewall ];
-    };
+  services.packet_forwarding = svc.network.forward.build { };

  services.dhcp6 =
    let
--- a/modules/network/default.nix
+++ b/modules/network/default.nix
@ -24,6 +24,9 @@ in {
      route = mkOption {
        type = liminix.lib.types.serviceDefn;
      };
+      forward = mkOption {
+        type = liminix.lib.types.serviceDefn;
+      };
      dhcp = {
        client = mkOption {
          # this needs to move to its own service as it has
@ -108,6 +111,17 @@ in {
        };
      };

+      forward = liminix.callService ./forward.nix {
+        enableIPv4 = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        enableIPv6 = mkOption {
+          type = types.bool;
+          default = true;
+        };
+      };
+
      dhcp.client = liminix.callService ./dhcpc.nix {
        interface = mkOption {
          type = liminix.lib.types.service;
--- a/modules/network/forward.nix
+++ b/modules/network/forward.nix
@ -0,0 +1,21 @@
+{
+  liminix
+, ifwait
+, serviceFns
+, lib
+}:
+{ enableIPv4, enableIPv6 }:
+let
+  inherit (liminix.services) oneshot;
+  ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
+  ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
+  opt = lib.optionalString;
+  sysctls = b :
+    ""
+    + opt enableIPv4 "echo ${b} > ${ip4}\n"
+    + opt enableIPv6 "echo ${b} > ${ip6}\n";
+in oneshot {
+  name = "forwarding${opt enableIPv4 "4"}${opt enableIPv6 "6"}";
+  up = sysctls "1";
+  down = sysctls "0";
+}
--- a/vanilla-configuration.nix
+++ b/vanilla-configuration.nix
@ -22,16 +22,7 @@ in rec {
    dependencies = [ services.dhcpv4 ];
  };

-  services.packet_forwarding =
-    let
-      iface = services.dhcpv4;
-      filename = "/proc/sys/net/ipv4/conf/$(output ${iface} ifname)/forwarding";
-    in oneshot {
-      name = "let-the-ip-flow";
-      up = "echo 1 > ${filename}";
-      down = "echo 0 > ${filename}";
-      dependencies = [iface];
-    };
+  services.packet_forwarding = svc.network.forward.build { };

  services.ntp = config.system.service.ntp.build {
    pools = { "pool.ntp.org" = ["iburst"] ; };