-
-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/systemd-networkd: add NFTSet related options #332777
base: master
Are you sure you want to change the base?
Conversation
Does this need any validation on the option or a nixos test? This seems similar to recent changes like #318604. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd love to see a NixOS test that exercised these options. I'd also love to see a validator or a structured Nix type that reflects the four possible fields of source, family, table, and set.
@@ -737,6 +737,7 @@ let | |||
"ManageTemporaryAddress" | |||
"AddPrefixRoute" | |||
"AutoJoin" | |||
"NFTSet" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Address documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=source:family:table:set
Do you think you need a validator? One seems possible given the documentation above.
@@ -864,6 +865,7 @@ let | |||
"FallbackLeaseLifetimeSec" | |||
"Label" | |||
"Use6RD" | |||
"NFTSet" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DHCPv4 documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=
@@ -913,6 +915,7 @@ let | |||
"IAID" | |||
"UseDelegatedPrefix" | |||
"SendRelease" | |||
"NFTSet" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DHCPv6 documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=1
@@ -937,6 +940,7 @@ let | |||
"Token" | |||
"ManageTemporaryAddress" | |||
"RouteMetric" | |||
"NFTSet" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DHCPPrefixDelegation documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=2
@@ -964,6 +968,7 @@ let | |||
"UseRoutePrefix" | |||
"Token" | |||
"UsePREF64" | |||
"NFTSet" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IPv6AcceptRA documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=3
I can add a validator. |
I added a check to validate that all fields are present. It looks like one of the more complex checks for a string option. I'm not sure if I should keep it as several assertions like this, or if I should build a string so it's kept to a single trace line? Also not sure if systemd-lib.nix is the appropriate place for this since it will probably stay specific to the one module. |
@philiptaron I am not sure how I could use a "structured Nix type" where the option type is already a |
dd3dae9
to
fe764ef
Compare
fe764ef
to
7be43d7
Compare
7be43d7
to
fe91294
Compare
33e2702
to
41a4b14
Compare
@mvnetbiz I'm about to be away from a computer for a week-ish. Please feel free to enlist someone else to keep reviewing! I like the direction I see on my phone but can't sign off due to inability to test. |
41a4b14
to
9ef54b9
Compare
Includes NixOS test and validation on required fields.
9ef54b9
to
c5cd3c2
Compare
# added to another. The sets are used by one rule that blocks connections to | ||
# the static address, and one rule that blocks connections to the DHCP address. | ||
# It is tested that the expected connections succeed or fail from another host. | ||
import ./make-test-python.nix ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The manual specifies a different way of defining tests, based on runTest
instead of importing this.
See https://nixos.org/manual/nixos/stable/#sec-call-nixos-test-in-nixos
Description of changes
Allow setting
NFTSet=
option in systemd-netword network files. This option is for automatically adding the interface's address, prefix, or index to a named nftables set. It is valid under[Address]
for static addresses, as well as the various sections for dynamic configuration (DHCP, etc.)Added a NixOS test that configures a machine that uses NFTSet on a statically configured address section, as well as a DHCPv4 section, and checks that both nft sets are modified by testing nft rules that match on the sets.
Things done
Tested that it works on a system with nftables configured.
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.