Use pbb policy routing module

2020-12-08 13:49:46 +01:00 · 2020-12-08 13:49:46 +01:00 · 1b7c2c1b99
parent 0be2b84fdc
commit 1b7c2c1b99
2 changed files with 60 additions and 8 deletions
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@ -7,6 +7,7 @@
      ../../configuration/common
      ../../configuration/proxmox-vm
      ../../configuration/dn42
+      ../modules/policyrouting
    ];

  boot.loader.grub.enable = true;
@ -36,14 +37,15 @@
  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

-  #networking.localCommands = ''
-  #ip -6 rule flush
-  #ip -6 rule add lookup main prio 32000
-  #ip -6 rule add from all to fd56:4902:eca0::/48 lookup 1337 prio 10000
-  #ip -6 rule add from all to all lookup 2342 prio 10000
-  #ip -6 rule add from all to fd56:4902:eca0::/48 unreachable prio 20000
-  #ip -6 rule add from fd56:4902:eca0::/48 to all unreachable prio 20000
-  #'';
+  petabyte.policyrouting = {
+    enable = true;
+    rules6 = [
+      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
+      { rule = "from all to all lookup 2342"; prio = 10000; }
+      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
+      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+    ];
+  };

  networking.firewall.allowedTCPPorts = [
    179
--- a/modules/policyrouting/default.nix
+++ b/modules/policyrouting/default.nix
@ -0,0 +1,50 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.petabyte.policyrouting;
+
+  ruleOpts = { ... }: {
+    options = {
+      prio = mkOption {
+        type = types.int;
+      };
+      rule = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+in {
+  options = {
+    petabyte.policyrouting = {
+      enable = mkEnableOption "Declarative Policy-Routing";
+      rules = mkOption {
+        type = with types; listOf (submodule ruleOpts);
+        default = [];
+      };
+      rules6 = mkOption {
+        type = with types; listOf (submodule ruleOpts);
+        default = [];
+      };
+      rules4 = mkOption {
+        type = with types; listOf (submodule ruleOpts);
+        default = [];
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    petabyte.policyrouting.rules = [
+      { rule = "lookup main"; prio = 32000; }
+    ];
+    networking.localCommands = ''
+      set -x
+      ip -6 rule flush
+      ip -4 rule flush
+      ${concatMapStringsSep "\n" ({ prio, rule }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)}
+      ${concatMapStringsSep "\n" ({ prio, rule }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)}
+    '';
+  };
+}