From 1176525f8788e95b34c1e6e3ebbe8537472d705a Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Fri, 21 Jan 2022 11:40:28 +0000 Subject: treewide: remove obsolete kernel version checks We don't support Linux kernels older than 4.4 in Nixpkgs. --- nixos/modules/tasks/network-interfaces.nix | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'nixos/modules/tasks/network-interfaces.nix') diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 5c91993771e..06117ab451d 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1325,22 +1325,13 @@ in val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val)); - # Capabilities won't work unless we have at-least a 4.3 Linux - # kernel because we need the ambient capability - security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then { + security.wrappers = { ping = { owner = "root"; group = "root"; capabilities = "cap_net_raw+p"; source = "${pkgs.iputils.out}/bin/ping"; }; - } else { - ping = { - setuid = true; - owner = "root"; - group = "root"; - source = "${pkgs.iputils.out}/bin/ping"; - }; }; security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { -- cgit 1.4.1 From 0a62de4cd5b82357b308231897f070706ffdfd4e Mon Sep 17 00:00:00 2001 From: jpathy <15735913+jpathy@users.noreply.github.com> Date: Wed, 16 Mar 2022 11:18:15 +0530 Subject: networking.greTunnels: support ip6gre* --- nixos/modules/tasks/network-interfaces.nix | 15 ++++++++++++-- nixos/tests/networking.nix | 33 ++++++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 4 deletions(-) (limited to 'nixos/modules/tasks/network-interfaces.nix') diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 06117ab451d..01980b80f1c 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1021,6 +1021,12 @@ in dev = "enp4s0f0"; type = "tap"; }; + gre6Tunnel = { + remote = "fd7a:5634::1"; + local = "fd7a:5634::2"; + dev = "enp4s0f0"; + type = "tun6"; + }; } ''; description = '' @@ -1058,10 +1064,15 @@ in }; type = mkOption { - type = with types; enum [ "tun" "tap" ]; + type = with types; enum [ "tun" "tap" "tun6" "tap6" ]; default = "tap"; example = "tap"; - apply = v: if v == "tun" then "gre" else "gretap"; + apply = v: { + tun = "gre"; + tap = "gretap"; + tun6 = "ip6gre"; + tap6 = "ip6gretap"; + }.${v}; description = '' Whether the tunnel routes layer 2 (tap) or layer 3 (tun) traffic. ''; diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 8c9df19f2d5..b763cbd4665 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -498,6 +498,7 @@ let networking = { useNetworkd = networkd; useDHCP = false; + firewall.extraCommands = "ip6tables -A nixos-fw -p gre -j nixos-fw-accept"; }; }; in { @@ -506,7 +507,7 @@ let mkMerge [ (node args) { - virtualisation.vlans = [ 1 2 ]; + virtualisation.vlans = [ 1 2 4 ]; networking = { greTunnels = { greTunnel = { @@ -515,12 +516,24 @@ let dev = "eth2"; type = "tap"; }; + gre6Tunnel = { + local = "fd00:1234:5678:4::1"; + remote = "fd00:1234:5678:4::2"; + dev = "eth3"; + type = "tun6"; + }; }; bridges.bridge.interfaces = [ "greTunnel" "eth1" ]; interfaces.eth1.ipv4.addresses = mkOverride 0 []; interfaces.bridge.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ]; + interfaces.eth3.ipv6.addresses = [ + { address = "fd00:1234:5678:4::1"; prefixLength = 64; } + ]; + interfaces.gre6Tunnel.ipv6.addresses = mkOverride 0 [ + { address = "fc00::1"; prefixLength = 64; } + ]; }; } ]; @@ -528,7 +541,7 @@ let mkMerge [ (node args) { - virtualisation.vlans = [ 2 3 ]; + virtualisation.vlans = [ 2 3 4 ]; networking = { greTunnels = { greTunnel = { @@ -537,12 +550,24 @@ let dev = "eth1"; type = "tap"; }; + gre6Tunnel = { + local = "fd00:1234:5678:4::2"; + remote = "fd00:1234:5678:4::1"; + dev = "eth3"; + type = "tun6"; + }; }; bridges.bridge.interfaces = [ "greTunnel" "eth2" ]; interfaces.eth2.ipv4.addresses = mkOverride 0 []; interfaces.bridge.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ]; + interfaces.eth3.ipv6.addresses = [ + { address = "fd00:1234:5678:4::2"; prefixLength = 64; } + ]; + interfaces.gre6Tunnel.ipv6.addresses = mkOverride 0 [ + { address = "fc00::2"; prefixLength = 64; } + ]; }; } ]; @@ -562,6 +587,10 @@ let client1.wait_until_succeeds("ping -c 1 192.168.1.2") client2.wait_until_succeeds("ping -c 1 192.168.1.1") + + client1.wait_until_succeeds("ping -c 1 fc00::2") + + client2.wait_until_succeeds("ping -c 1 fc00::1") ''; }; vlan = let -- cgit 1.4.1