Prepare source routing

2022-07-15 01:16:51 +02:00
parent 438e3f7099
commit c282f5e1f4
20 changed files with 223 additions and 2 deletions
--- a/hosts/router/10-net-services.nix
+++ b/hosts/router/10-net-services.nix
@@ -14,4 +14,6 @@
  ];

  # Everyone is allowed reaching this, no firewall therefore
+
+  clerie.uplink-selector.interfaces.net-services.uplink = "uplink-a";
 }
--- a/hosts/router/101-net-uplink-a.nix
+++ b/hosts/router/101-net-uplink-a.nix
@@ -25,7 +25,7 @@
        lcp-echo-failure 3
        mtu 1492
        hide-password
-        defaultroute
+        nodefaultroute
        +ipv6
        debug
      '';
--- a/hosts/router/102-net-uplink-b.nix
+++ b/hosts/router/102-net-uplink-b.nix
@@ -25,7 +25,7 @@
        lcp-echo-failure 3
        mtu 1492
        hide-password
-        defaultroute
+        nodefaultroute
        +ipv6
        debug
      '';
--- a/hosts/router/151-net-technik-iot.nix
+++ b/hosts/router/151-net-technik-iot.nix
@@ -40,4 +40,6 @@
    # Give technik access to their toys
    { incomingInterface = "net-technik"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-technik-iot.uplink = "uplink-b";
 }
--- a/hosts/router/201-net-ikt.nix
+++ b/hosts/router/201-net-ikt.nix
@@ -52,4 +52,6 @@
    # Allow infrastructure devices to access ikt user devices for downloading software etc
    { incomingInterface = "net-management"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-ikt.uplink = "uplink-b";
 }
--- a/hosts/router/202-net-technik.nix
+++ b/hosts/router/202-net-technik.nix
@@ -53,4 +53,6 @@
    # Give the toys access to technik
    { incomingInterface = "net-technik-iot"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-technik.uplink = "uplink-b";
 }
--- a/hosts/router/203-net-hospital.nix
+++ b/hosts/router/203-net-hospital.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-hospital.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-hospital.uplink = "uplink-a";
 }
--- a/hosts/router/204-net-zoll.nix
+++ b/hosts/router/204-net-zoll.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-zoll.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-zoll.uplink = "uplink-a";
 }
--- a/hosts/router/205-net-leitstelle.nix
+++ b/hosts/router/205-net-leitstelle.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-leitstelle.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-leitstelle.uplink = "uplink-a";
 }
--- a/hosts/router/206-net-verwaltung.nix
+++ b/hosts/router/206-net-verwaltung.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-verwaltung.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-verwaltung.uplink = "uplink-a";
 }
--- a/hosts/router/208-net-yolo.nix
+++ b/hosts/router/208-net-yolo.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-yolo.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-yolo.uplink = "uplink-b";
 }
--- a/hosts/router/209-net-infojurte.nix
+++ b/hosts/router/209-net-infojurte.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-infojurte.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-infojurte.uplink = "uplink-b";
 }
--- a/hosts/router/210-net-internation.nix
+++ b/hosts/router/210-net-internation.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-internation.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-internation.uplink = "uplink-b";
 }
--- a/hosts/router/211-net-programmtre.nix
+++ b/hosts/router/211-net-programmtre.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-programmtre.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-programmtre.uplink = "uplink-b";
 }
--- a/hosts/router/212-net-open-office.nix
+++ b/hosts/router/212-net-open-office.nix
@@ -51,4 +51,6 @@
  clerie.forward-filter.interfaces.net-open-office.rules = [
    { incomingInterface = "net-ikt"; }
  ];
+
+  clerie.uplink-selector.interfaces.net-open-office.uplink = "uplink-b";
 }
--- a/hosts/router/configuration.nix
+++ b/hosts/router/configuration.nix
@@ -6,6 +6,8 @@
      ./hardware-configuration.nix

      ./nat.nix
+      ./ppp.nix
+      ./uplink-selector.nix

      ./10-net-services.nix
      ./42-net-management.nix
--- a/hosts/router/ppp.nix
+++ b/hosts/router/ppp.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+
+{
+  # Setting default routes based on interfaces in different tables
+  environment.etc."ppp/ip-up" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      case $IFNAME in
+       ppp-uplink-a)
+         ip route flush table 20001 || true
+         ip route add default dev ppp-uplink-a table 20001
+         ;;
+       ppp-uplink-b)
+         ip route flush table 20002 || true
+         ip route add default dev ppp-uplink-b table 20002
+         ;;
+      esac
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ip-down" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      case $IFNAME in
+       ppp-uplink-a)
+         ip route flush table 20001 || true
+         ;;
+       ppp-uplink-b)
+         ip route flush table 20002 || true
+         ;;
+      esac
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ipv6-up" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      case $IFNAME in
+       ppp-uplink-a)
+         ip -6 route flush table 20001 || true
+         ip -6 route add default dev ppp-uplink-a table 20001
+         ;;
+       ppp-uplink-b)
+         ip -6 route flush table 20002 || true
+         ip -6 route add default dev ppp-uplink-b table 20002
+         ;;
+      esac
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ipv6-down" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      case $IFNAME in
+       ppp-uplink-a)
+         ip -6 route flush table 20001 || true
+         ;;
+       ppp-uplink-b)
+         ip -6 route flush table 20002 || true
+         ;;
+      esac
+    '';
+    mode = "555";
+  };
+}
--- a/hosts/router/uplink-selector.nix
+++ b/hosts/router/uplink-selector.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  clerie.uplink-selector.enable = true;
+  clerie.uplink-selector.uplinks = {
+    uplink-a.table = "20001";
+    uplink-b.table = "20002";
+  };
+}