nyanloutre/nixos-config
1
1
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Try to use multiple tables with CONNMARK

Browse Source
This commit is contained in:
nyanloutre 2024-11-28 12:14:26 +01:00
parent fe7f6b62a0
commit fad8652bac
1 changed files with 83 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
systems/LoutreOS/network.nix
View File

@ -114,8 +114,41 @@
];
};
#################
# ROUTING RULES #
#################
# 0: from all lookup local
# 60: from all iif lo dport 25 lookup vpn
# 4000: from all fwmark 0x1 lookup fiber
# 5000: from all fwmark 0x2 lookup lte
# 6000: from all fwmark 0x3 lookup vpn
# 32766: from all lookup main
# 32767: from all lookup default
# 40000: from all lookup fiber
# 50000: from all lookup lte
# TODO
##################
# iptables rules #
##################
# # Restore the packet's CONNMARK to the MARK.
# iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
# # If packet MARK is set, then it means that there is already a connection mark
# iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
# # Else, we need to mark the packet. If the packet is incoming on bouygues then set MARK to 1
# iptables -A PREROUTING -t mangle -i bouygues -j MARK --set-mark 1
# iptables -A PREROUTING -t mangle -i enp0s21u1 -j MARK --set-mark 2
# iptables -A PREROUTING -t mangle -i wg0 -j MARK --set-mark 3
# # Save MARK to CONNMARK.
# iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
systemd.network = let
routeTables = {
fiber = 1;
lte = 2;
vpn = 3;
};
in {
@ -164,14 +197,17 @@
# Set route metric to highest priority
# Set DHCP client magic settings for Bouygues
"40-bouygues" = {
dhcpV4Config.RouteMetric = 1;
dhcpV4Config.RouteTable = routeTables.fiber;
dhcpV6Config = {
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
WithoutRA = "solicit";
};
ipv6AcceptRAConfig.DHCPv6Client = true;
ipv6AcceptRAConfig = {
DHCPv6Client = true;
RouteTable = routeTables.fiber;
};
networkConfig = {
KeepConfiguration = "dhcp-on-stop";
@ -181,6 +217,25 @@
# Static attribution of first IPv6 subnet
dhcpPrefixDelegationConfig.SubnetId = "0";
# Route everything to fiber link with a priority of 40000
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 1;
Table = routeTables.fiber;
Priority = 4000;
Family = "both";
};
}
{
routingPolicyRuleConfig = {
Table = routeTables.fiber;
Priority = 40000;
Family = "both";
};
}
];
};
# Don't check VLAN physical interface as it is not directly used
@ -191,7 +246,28 @@
#######
# Set LTE route to lower priority
"40-enp0s21u1".dhcpV4Config.RouteMetric = 1024;
"40-enp0s21u1" = {
dhcpV4Config.RouteTable = routeTables.lte;
# Route all to lte link with a priority of 50000
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 2;
Table = routeTables.lte;
Priority = 5000;
Family = "both";
};
}
{
routingPolicyRuleConfig = {
Table = routeTables.lte;
Priority = 50000;
Family = "both";
};
}
];
};
#######
# VPN #
@ -214,7 +290,7 @@
IncomingInterface = "lo";
DestinationPort = "25";
Table = routeTables.vpn;
Priority = 50;
Priority = 60;
Family = "both";
};
}
@ -222,16 +298,10 @@
# Allow server to respond on the wg0 interface requests
{
routingPolicyRuleConfig = {
From = vpnIPv4;
FirewallMark = 3;
Table = routeTables.vpn;
Priority = 49;
};
}
{
routingPolicyRuleConfig = {
From = vpnIPv6;
Table = routeTables.vpn;
Priority = 49;
Priority = 6000;
Family = "both";
};
}
];