nixos/networking-interfaces: change preferTempAddress to allow disabling temp addresses
This commit is contained in:
parent
f04239caaa
commit
2485e6399e
@ -143,13 +143,34 @@ let
|
|||||||
description = "Name of the interface.";
|
description = "Name of the interface.";
|
||||||
};
|
};
|
||||||
|
|
||||||
preferTempAddress = mkOption {
|
tempAddress = mkOption {
|
||||||
type = types.bool;
|
type = types.enum [ "default" "enabled" "disabled" ];
|
||||||
default = cfg.enableIPv6;
|
default = if cfg.enableIPv6 then "default" else "disabled";
|
||||||
defaultText = literalExample "config.networking.enableIPv6";
|
defaultText = literalExample ''if cfg.enableIPv6 then "default" else "disabled"'';
|
||||||
description = ''
|
description = ''
|
||||||
When using SLAAC prefer a temporary (IPv6) address over the EUI-64
|
When IPv6 is enabled with SLAAC, this option controls the use of
|
||||||
address for originating connections. This is used to reduce tracking.
|
temporary address (aka privacy extensions). This is used to reduce tracking.
|
||||||
|
The three possible values are:
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<literal>"default"</literal> to generate temporary addresses and use
|
||||||
|
them by default;
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<literal>"enabled"</literal> to generate temporary addresses but keep
|
||||||
|
using the standard EUI-64 ones by default;
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<literal>"disabled"</literal> to completely disable temporary addresses.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -287,6 +308,11 @@ let
|
|||||||
let
|
let
|
||||||
defined = x: x != "_mkMergedOptionModule";
|
defined = x: x != "_mkMergedOptionModule";
|
||||||
in [
|
in [
|
||||||
|
(mkChangedOptionModule [ "preferTempAddress" ] [ "tempAddress" ]
|
||||||
|
(config:
|
||||||
|
let bool = getAttrFromPath [ "preferTempAddress" ] config;
|
||||||
|
in if bool then "default" else "enabled"
|
||||||
|
))
|
||||||
(mkRenamedOptionModule [ "ip4" ] [ "ipv4" "addresses"])
|
(mkRenamedOptionModule [ "ip4" ] [ "ipv4" "addresses"])
|
||||||
(mkRenamedOptionModule [ "ip6" ] [ "ipv6" "addresses"])
|
(mkRenamedOptionModule [ "ip6" ] [ "ipv6" "addresses"])
|
||||||
(mkRemovedOptionModule [ "subnetMask" ] ''
|
(mkRemovedOptionModule [ "subnetMask" ] ''
|
||||||
@ -945,7 +971,7 @@ in
|
|||||||
The networking.interfaces."${i.name}" must not have any defined ips when it is a slave.
|
The networking.interfaces."${i.name}" must not have any defined ips when it is a slave.
|
||||||
'';
|
'';
|
||||||
})) ++ (forEach interfaces (i: {
|
})) ++ (forEach interfaces (i: {
|
||||||
assertion = i.preferTempAddress -> cfg.enableIPv6;
|
assertion = i.tempAddress != "disabled" -> cfg.enableIPv6;
|
||||||
message = ''
|
message = ''
|
||||||
Temporary addresses are only needed when IPv6 is enabled.
|
Temporary addresses are only needed when IPv6 is enabled.
|
||||||
'';
|
'';
|
||||||
@ -973,8 +999,11 @@ in
|
|||||||
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
|
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
|
||||||
} // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces)
|
} // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces)
|
||||||
(i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true)))
|
(i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true)))
|
||||||
// listToAttrs (forEach (filter (i: i.preferTempAddress) interfaces)
|
// listToAttrs (forEach interfaces
|
||||||
(i: nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" 2));
|
(i: let
|
||||||
|
opt = i.tempAddress;
|
||||||
|
val = { disabled = 0; enabled = 1; default = 2; }.${opt};
|
||||||
|
in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val));
|
||||||
|
|
||||||
# Capabilities won't work unless we have at-least a 4.3 Linux
|
# Capabilities won't work unless we have at-least a 4.3 Linux
|
||||||
# kernel because we need the ambient capability
|
# kernel because we need the ambient capability
|
||||||
@ -1103,10 +1132,18 @@ in
|
|||||||
(pkgs.writeTextFile rec {
|
(pkgs.writeTextFile rec {
|
||||||
name = "ipv6-privacy-extensions.rules";
|
name = "ipv6-privacy-extensions.rules";
|
||||||
destination = "/etc/udev/rules.d/99-${name}";
|
destination = "/etc/udev/rules.d/99-${name}";
|
||||||
text = concatMapStrings (i: ''
|
text = concatMapStrings (i:
|
||||||
# enable IPv6 privacy addresses but prefer EUI-64 addresses for ${i.name}
|
let
|
||||||
ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=1"
|
opt = i.tempAddress;
|
||||||
'') (filter (i: !i.preferTempAddress) interfaces);
|
val = if opt == "disabled" then 0 else 1;
|
||||||
|
msg = if opt == "disabled"
|
||||||
|
then "completely disable IPv6 privacy addresses"
|
||||||
|
else "enable IPv6 privacy addresses but prefer EUI-64 addresses";
|
||||||
|
in
|
||||||
|
''
|
||||||
|
# override to ${msg} for ${i.name}
|
||||||
|
ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${toString val}"
|
||||||
|
'') (filter (i: i.tempAddress != "default") interfaces);
|
||||||
})
|
})
|
||||||
] ++ lib.optional (cfg.wlanInterfaces != {})
|
] ++ lib.optional (cfg.wlanInterfaces != {})
|
||||||
(pkgs.writeTextFile {
|
(pkgs.writeTextFile {
|
||||||
|
Loading…
Reference in New Issue
Block a user