tasks/network-interfaces.nix: Enable ip_forwarding for ipv4 and p… #62671
Conversation
kfiz
changed the title
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
| "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
| "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
| "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | ||
| } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) | ||
| (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) | ||
| (i: flip map [ "4" "6" ] (v: if v == "4" |
There was a problem hiding this comment.
the if can be all the way inside, like ${if v == "4" then "arp" else "ndp"}
There was a problem hiding this comment.
Thanks for the comment. I simplified this.
|
I see this problem is still in master. |
|
Please fix, rebase and LGTM, seems like an easy win. |
kfiz
force-pushed
the
networking-proxy_arp-fix
branch
from
47582e2
to
8f4aca3
Compare
|
Done. |
|
Hey, I meant but maybe what you wrote is more readable. I tested the PR, works fine, sets @flokli could you take a look? Thank you! |
|
@kfiz Please make this one single commit, and format the commit message properly. Also, the commit is missing a description on the why, as per
@brainrape I think the variant currently present in this PR is more readable. |
kfiz
force-pushed
the
networking-proxy_arp-fix
branch
from
8f4aca3
to
1ab4e58
Compare
|
@flokli Done. |
| "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
| "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
| "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | ||
| } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) | ||
| (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true))) | ||
| (i: [(nameValuePair "net.ipv4.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true) | ||
| (nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.proxy_ndp" true)])) |
There was a problem hiding this comment.
It seems GitHub ate my comment.
This reads like we always set a wrong proxy_ndp sysctl (so it never worked), and even if we set it now, the kernel-provided ndp proxy infrastructure requires addition of each individual address to ndp proxy for (see https://github.com/DanielAdolfsson/ndppd/blob/master/README#L57)
It seems more useful to just remove the NDP-specific bits from the proxyARP documentation, and let users either use ndppd (which is packaged in NixOS), or set options themselves.
Luckily, as it never worked before, we don't break any existing configurations.
There was a problem hiding this comment.
Hmm...you are right. Setting proxy_ndp alone is not enough to make this work.
The question for me here would be whether a user who sets this knows that she has to additionally set something like ip -6 neigh add proxy <ip> dev <if> or not. If she is aware of this then this PR is aligned with her expectations, if not than obviously not.
In any way, another way to go apart from your suggestion would be to generate a warning message that tells users that additional settings have to be specified for this to work and alternatively point to ndppd.
There was a problem hiding this comment.
proxyARP shouldn't enable proxy NDP - these are two different concepts, and we shouldn't mix them. Given it never worked, I don't see a problem with removing the (disfunctional and dangerous) proxy NDP part.
There was a problem hiding this comment.
Agreed. We shouldn't mix the two. It's better to force users to make this decision consciously.
There was a problem hiding this comment.
Can you push a new commit changing this?
kfiz
force-pushed
the
networking-proxy_arp-fix
branch
2 times, most recently
from
b6e4d59
to
8eda489
Compare
There was a problem hiding this comment.
The description for networking.interfaces.<name?>.proxyARP needs to be updated - it still refers to the NDP bits.
Also, please update the commit message to something like this:
tasks/networking-interfaces.nix: remove broken NDP bits from proxyARP option
The `networking.interfaces.<name?>.proxyARP` previously mentioned it would also enable IPv6 forwarding and `proxy_ndp`.
However, the `proxy_ndp` option was never actually set (as it did set the non-existing `net.ipv6.conf.proxy_arp` sysctl instead), and `proxy_ndp` also needs individual entries
for each ip to proxy for.
Proxy ARP and Proxy NDP are two different concepts, and enabling the latter
should be a conscious decision.
This commit removes the broken NDP support, and disables explicitly
enabling IPv6 forwarding (which is the default in most cases anyways)
Fixes #62339.
| @@ -1055,11 +1055,12 @@ in | |||
| optionalString hasBonds "options bonding max_bonds=0"; | |||
|
|
|||
| boot.kernel.sysctl = { | |||
| "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | |||
| "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); | |||
| "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); | |||
| "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | |||
There was a problem hiding this comment.
Sorry, I missed this line. With all the NDP stuff gone, we also shouldn't enable ipv6 forwarding on proxyARP anymore.
This however now should get a release note entry now.
There was a problem hiding this comment.
@flokli What do you think. Are we good to go?
The `networking.interfaces.<name?>.proxyARP` option previously mentioned it would also enable IPv6 forwarding and `proxy_ndp`. However, the `proxy_ndp` option was never actually set (the non-existing `net.ipv6.conf.proxy_arp` sysctl was set instead). In addition `proxy_ndp` also needs individual entries for each ip to proxy for. Proxy ARP and Proxy NDP are two different concepts, and enabling the latter should be a conscious decision. This commit removes the broken NDP support, and disables explicitly enabling IPv6 forwarding (which is the default in most cases anyways) Fixes NixOS#62339.
kfiz
force-pushed
the
networking-proxy_arp-fix
branch
from
8eda489
to
5d3a72f
Compare
|
Thanks! |
…roxy_ndp for ipv6 for interfaces that set proxy_ARP
Motivation for this change
Fixes #62339
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)