From 690f98b0a6201c473b00acfb8b95bc497ea505f3 Mon Sep 17 00:00:00 2001 From: Patrick Date: Thu, 2 Jan 2025 22:04:16 +0100 Subject: [PATCH] broken: nft filter own packets --- config/basic/net.nix | 28 +++++++++++++++++++++- config/services/hostapd.nix | 47 ++++++++++++++++++++----------------- hosts/nucnix/guests.nix | 2 +- hosts/nucnix/mdns.nix | 14 +++++++---- patches/PR/370347.diff | 43 +++++++++++++++++++++++++++++++++ 5 files changed, 106 insertions(+), 28 deletions(-) create mode 100644 patches/PR/370347.diff diff --git a/config/basic/net.nix b/config/basic/net.nix index ff0e03b..51ff6f1 100644 --- a/config/basic/net.nix +++ b/config/basic/net.nix @@ -1,11 +1,11 @@ { lib, config, + pkgs, ... }: { networking = { - search = [ "local" ]; useNetworkd = true; dhcpcd.enable = false; useDHCP = false; @@ -42,5 +42,31 @@ MulticastDNS=true ''; }; + networking.nftables.ruleset = '' + table inet mdns { + set OWN_IPS { + typeof ip saddr + elements = { 127.0.0.1 } + } + chain prerouting { + type filter hook prerouting priority mangle; policy accept; + udp dport 5353 ip saddr @OWN_IPS drop; + } + } + ''; + services.networkd-dispatcher = { + enable = true; + rules = { + disable-mdns = { + onState = [ "configured" ]; + script = '' + ADDRS=$(${lib.getExe' pkgs.iproute2 "ip"} -j -o addr | ${lib.getExe pkgs.jq} -r ".[] | .addr_info[] | select(.dev != \"lo\") | .local") + for i in $ADDRS; do + ${lib.getExe pkgs.nftables} add element inet mdns OWN_IPS "{ $i }" + done + ''; + }; + }; + }; } diff --git a/config/services/hostapd.nix b/config/services/hostapd.nix index 4516af2..626d915 100644 --- a/config/services/hostapd.nix +++ b/config/services/hostapd.nix @@ -16,7 +16,10 @@ intel2200BGFirmware ]; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ]; + networking.nftables.firewall.zones.untrusted.interfaces = [ + "lan-services" + "lan-home" + ]; hardware.wirelessRegulatoryDatabase = true; # systemd.network = { # netdevs."40-wifi-home" = { @@ -40,28 +43,28 @@ # }; # }; - networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ]; - networking.nftables.firewall.zones.home.interfaces = [ "lan-home" ]; - networking.nftables.firewall.rules.wifi-forward = { - from = [ "wlan" ]; - to = [ "lan-home" ]; - verdict = "accept"; - }; - systemd.network.networks."40-wifi" = { - matchConfig.Name = "lan-home"; - address = [ - (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv4) - (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv6) - ]; - gateway = [ - (lib.net.cidr.host 1 globals.net.vlans.home.cidrv4) - (lib.net.cidr.host 1 globals.net.vlans.home.cidrv6) - ]; - - }; - + # networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ]; + # networking.nftables.firewall.zones.home.interfaces = [ "lan-home" ]; + # networking.nftables.firewall.rules.wifi-forward = { + # from = [ "wlan" ]; + # to = [ "home" ]; + # verdict = "accept"; + # }; + # systemd.network.networks."40-wifi" = { + # matchConfig.Name = "wlan1"; + # address = [ + # (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv4) + # (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv6) + # ]; + # gateway = [ + # (lib.net.cidr.host 1 globals.net.vlans.home.cidrv4) + # (lib.net.cidr.host 1 globals.net.vlans.home.cidrv6) + # ]; + # + # }; + # services.hostapd = { - enable = true; + # enable = true; radios.wlan1 = { band = "2g"; countryCode = "DE"; diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index c5ff29a..fcf0220 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -112,7 +112,7 @@ in // mkContainer "nginx" { } // mkMicrovm "hostapd" { vlans = [ - "guests" + # "guests" "home" "services" ]; diff --git a/hosts/nucnix/mdns.nix b/hosts/nucnix/mdns.nix index 20fc3fd..1c7a795 100644 --- a/hosts/nucnix/mdns.nix +++ b/hosts/nucnix/mdns.nix @@ -8,6 +8,12 @@ let cfg = { interfaces = "lan-.*"; rules = [ + { + from = ".*"; + to = "lan-home"; + allow_questions = ""; + allow_answers = ".*"; + } { from = "lan-home"; to = "lan-services"; @@ -15,10 +21,10 @@ let allow_answers = ""; } { - from = "lan-services"; - to = "lan-home"; - allow_questions = ""; - allow_answers = "(nucnix|elisabeth)"; + from = "lan-home"; + to = "lan-devices"; + allow_questions = "(printer|ipp)"; + allow_answers = ""; } ]; }; diff --git a/patches/PR/370347.diff b/patches/PR/370347.diff new file mode 100644 index 0000000..ce59457 --- /dev/null +++ b/patches/PR/370347.diff @@ -0,0 +1,43 @@ +diff --git a/nixos/modules/services/networking/networkd-dispatcher.nix b/nixos/modules/services/networking/networkd-dispatcher.nix +index 49d5cd545656a..5e307d81624ee 100644 +--- a/nixos/modules/services/networking/networkd-dispatcher.nix ++++ b/nixos/modules/services/networking/networkd-dispatcher.nix +@@ -102,21 +102,23 @@ in + + services.networkd-dispatcher.extraArgs = + let +- scriptDir = pkgs.symlinkJoin { +- name = "networkd-dispatcher-script-dir"; +- paths = lib.mapAttrsToList ( +- name: cfg: +- (map ( +- state: +- pkgs.writeTextFile { +- inherit name; +- text = cfg.script; +- destination = "/${state}.d/${name}"; +- executable = true; +- } +- ) cfg.onState) +- ) cfg.rules; +- }; ++ scriptDir = pkgs.runCommand "networkd-dispatcher-script-dir" { } '' ++ mkdir $out ++ ${lib.concatStrings ( ++ lib.mapAttrsToList ( ++ name: cfg: ++ (lib.concatStrings ( ++ map (state: '' ++ mkdir -p $out/${state}.d ++ ln -s ${ ++ pkgs.writeShellApplication { ++ inherit name; ++ text = cfg.script; ++ } ++ }/bin/${name} $out/${state}.d/${name}'') cfg.onState ++ )) ++ ) cfg.rules ++ )}''; + in + [ + "--verbose"