Merge pull request #118037 from mayflower/privacy-extensions-configurable

nixos/network: allow configuring tempaddr for undeclared interfaces

nixos/doc/manual/configuration/ipv6-config.xml

@@ -7,8 +7,12 @@
 
  <para>
   IPv6 is enabled by default. Stateless address autoconfiguration is used to
-  automatically assign IPv6 addresses to all interfaces. You can disable IPv6
+  automatically assign IPv6 addresses to all interfaces, and Privacy
-  support globally by setting:
+  Extensions (RFC 4946) are enabled by default. You can adjust the default
+  for this by setting <xref linkend="opt-networking.tempAddresses"/>.
+  This option may be overridden on a per-interface basis by
+  <xref linkend="opt-networking.interfaces._name_.tempAddress"/>.
+  You can disable IPv6 support globally by setting:
 <programlisting>
 <xref linkend="opt-networking.enableIPv6"/> = false;
 </programlisting>

nixos/modules/tasks/network-interfaces.nix

@@ -144,33 +144,20 @@ let
       };
 
       tempAddress = mkOption {
-        type = types.enum [ "default" "enabled" "disabled" ];
+        type = types.enum (lib.attrNames tempaddrValues);
-        default = if cfg.enableIPv6 then "default" else "disabled";
+        default = cfg.tempAddresses;
-        defaultText = literalExample ''if cfg.enableIPv6 then "default" else "disabled"'';
+        defaultText = literalExample ''config.networking.tempAddresses'';
         description = ''
           When IPv6 is enabled with SLAAC, this option controls the use of
-          temporary address (aka privacy extensions). This is used to reduce tracking.
+          temporary address (aka privacy extensions) on this
-          The three possible values are:
+          interface. This is used to reduce tracking.
 
-          <itemizedlist>
+          See also the global option
-           <listitem>
+          <xref linkend="opt-networking.tempAddresses"/>, which
-            <para>
+          applies to all interfaces where this is not set.
-             <literal>"default"</literal> to generate temporary addresses and use
+
-             them by default;
+          Possible values are:
-            </para>
+          ${tempaddrDoc}
-           </listitem>
-           <listitem>
-            <para>
-             <literal>"enabled"</literal> to generate temporary addresses but keep
-             using the standard EUI-64 ones by default;
-            </para>
-           </listitem>
-           <listitem>
-            <para>
-             <literal>"disabled"</literal> to completely disable temporary addresses.
-            </para>
-           </listitem>
-          </itemizedlist>
         '';
       };
 
@@ -366,6 +353,32 @@ let
 
   isHexString = s: all (c: elem c hexChars) (stringToCharacters (toLower s));
 
+  tempaddrValues = {
+    disabled = {
+      sysctl = "0";
+      description = "completely disable IPv6 temporary addresses";
+    };
+    enabled = {
+      sysctl = "1";
+      description = "generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses";
+    };
+    default = {
+      sysctl = "2";
+      description = "generate IPv6 temporary addresses and use these as source addresses in routing";
+    };
+  };
+  tempaddrDoc = ''
+    <itemizedlist>
+     ${concatStringsSep "\n" (mapAttrsToList (name: { description, ... }: ''
+       <listitem>
+         <para>
+           <literal>"${name}"</literal> to ${description};
+         </para>
+       </listitem>
+     '') tempaddrValues)}
+    </itemizedlist>
+  '';
+
 in
 
 {
@@ -1039,6 +1052,21 @@ in
       '';
     };
 
+    networking.tempAddresses = mkOption {
+      default = if cfg.enableIPv6 then "default" else "disabled";
+      type = types.enum (lib.attrNames tempaddrValues);
+      description = ''
+        Whether to enable IPv6 Privacy Extensions for interfaces not
+        configured explicitly in
+        <xref linkend="opt-networking.interfaces._name_.tempAddress" />.
+
+        This sets the ipv6.conf.*.use_tempaddr sysctl for all
+        interfaces. Possible values are:
+
+        ${tempaddrDoc}
+      '';
+    };
+
   };
 
 
@@ -1098,7 +1126,7 @@ in
       // listToAttrs (forEach interfaces
         (i: let
           opt = i.tempAddress;
-          val = { disabled = 0; enabled = 1; default = 2; }.${opt};
+          val = tempaddrValues.${opt}.sysctl;
          in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val));
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
@@ -1188,9 +1216,11 @@ in
       (pkgs.writeTextFile rec {
         name = "ipv6-privacy-extensions.rules";
         destination = "/etc/udev/rules.d/98-${name}";
-        text = ''
+        text = let
+          sysctl-value = tempaddrValues.${cfg.tempAddresses}.sysctl;
+        in ''
           # enable and prefer IPv6 privacy addresses by default
-          ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo 2 > /proc/sys/net/ipv6/conf/%k/use_tempaddr'"
+          ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo ${sysctl-value} > /proc/sys/net/ipv6/conf/%k/use_tempaddr'"
         '';
       })
       (pkgs.writeTextFile rec {
@@ -1199,15 +1229,13 @@ in
         text = concatMapStrings (i:
           let
             opt = i.tempAddress;
-            val = if opt == "disabled" then 0 else 1;
+            val = tempaddrValues.${opt}.sysctl;
-            msg = if opt == "disabled"
+            msg = tempaddrValues.${opt}.description;
-                  then "completely disable IPv6 privacy addresses"
-                  else "enable IPv6 privacy addresses but prefer EUI-64 addresses";
           in
           ''
             # override to ${msg} for ${i.name}
-            ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${toString val}"
+            ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${val}"
-          '') (filter (i: i.tempAddress != "default") interfaces);
+          '') (filter (i: i.tempAddress != cfg.tempAddresses) interfaces);
       })
     ] ++ lib.optional (cfg.wlanInterfaces != {})
       (pkgs.writeTextFile {

nixos/tests/ipv6.nix

@@ -8,12 +8,34 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
   };
 
   nodes =
-    # Remove the interface configuration provided by makeTest so that the
+    {
-    # interfaces are all configured implicitly
+      # We use lib.mkForce here to remove the interface configuration
-    { client = { ... }: { networking.interfaces = lib.mkForce {}; };
+      # provided by makeTest, so that the interfaces are all configured
+      # implicitly.
+
+      # This client should use privacy extensions fully, having a
+      # completely-default network configuration.
+      client_defaults.networking.interfaces = lib.mkForce {};
+
+      # Both of these clients should obtain temporary addresses, but
+      # not use them as the default source IP. We thus run the same
+      # checks against them — but the configuration resulting in this
+      # behaviour is different.
+
+      # Here, by using an altered default value for the global setting...
+      client_global_setting = {
+        networking.interfaces = lib.mkForce {};
+        networking.tempAddresses = "enabled";
+      };
+      # and here, by setting this on the interface explicitly.
+      client_interface_setting = {
+        networking.tempAddresses = "disabled";
+        networking.interfaces = lib.mkForce {
+          eth1.tempAddress = "enabled";
+        };
+      };
 
       server =
-        { ... }:
         { services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
           networking.firewall.allowedTCPPorts = [ 80 ];
@@ -40,9 +62,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
       # Start the router first so that it respond to router solicitations.
       router.wait_for_unit("radvd")
 
+      clients = [client_defaults, client_global_setting, client_interface_setting]
+
       start_all()
 
-      client.wait_for_unit("network.target")
+      for client in clients:
+          client.wait_for_unit("network.target")
       server.wait_for_unit("network.target")
       server.wait_for_unit("httpd.service")
 
@@ -64,28 +89,42 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
 
 
       with subtest("Loopback address can be pinged"):
-          client.succeed("ping -c 1 ::1 >&2")
+          client_defaults.succeed("ping -c 1 ::1 >&2")
-          client.fail("ping -c 1 ::2 >&2")
+          client_defaults.fail("ping -c 1 2001:db8:: >&2")
 
       with subtest("Local link addresses can be obtained and pinged"):
-          client_ip = wait_for_address(client, "eth1", "link")
+          for client in clients:
-          server_ip = wait_for_address(server, "eth1", "link")
+              client_ip = wait_for_address(client, "eth1", "link")
-          client.succeed(f"ping -c 1 {client_ip}%eth1 >&2")
+              server_ip = wait_for_address(server, "eth1", "link")
-          client.succeed(f"ping -c 1 {server_ip}%eth1 >&2")
+              client.succeed(f"ping -c 1 {client_ip}%eth1 >&2")
+              client.succeed(f"ping -c 1 {server_ip}%eth1 >&2")
 
       with subtest("Global addresses can be obtained, pinged, and reached via http"):
-          client_ip = wait_for_address(client, "eth1", "global")
+          for client in clients:
-          server_ip = wait_for_address(server, "eth1", "global")
+              client_ip = wait_for_address(client, "eth1", "global")
-          client.succeed(f"ping -c 1 {client_ip} >&2")
+              server_ip = wait_for_address(server, "eth1", "global")
-          client.succeed(f"ping -c 1 {server_ip} >&2")
+              client.succeed(f"ping -c 1 {client_ip} >&2")
-          client.succeed(f"curl --fail -g http://[{server_ip}]")
+              client.succeed(f"ping -c 1 {server_ip} >&2")
-          client.fail(f"curl --fail -g http://[{client_ip}]")
+              client.succeed(f"curl --fail -g http://[{server_ip}]")
+              client.fail(f"curl --fail -g http://[{client_ip}]")
 
-      with subtest("Privacy extensions: Global temporary address can be obtained and pinged"):
+      with subtest(
-          ip = wait_for_address(client, "eth1", "global", temporary=True)
+          "Privacy extensions: Global temporary address is used as default source address"
+      ):
+          ip = wait_for_address(client_defaults, "eth1", "global", temporary=True)
           # Default route should have "src <temporary address>" in it
-          client.succeed(f"ip r g ::2 | grep {ip}")
+          client_defaults.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'")
 
-      # TODO: test reachability of a machine on another network.
+      for client, setting_desc in (
+          (client_global_setting, "global"),
+          (client_interface_setting, "interface"),
+      ):
+          with subtest(f'Privacy extensions: "enabled" through {setting_desc} setting)'):
+              # We should be obtaining both a temporary address and an EUI-64 address...
+              ip = wait_for_address(client, "eth1", "global")
+              assert "ff:fe" in ip
+              ip_temp = wait_for_address(client, "eth1", "global", temporary=True)
+              # But using the EUI-64 one.
+              client.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'")
     '';
 })