New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tasks/network-interfaces.nix: Enable ip_forwarding for ipv4 and p… #62671
Conversation
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
"net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
"net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | ||
} // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) | ||
(i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) | ||
(i: flip map [ "4" "6" ] (v: if v == "4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the if
can be all the way inside, like ${if v == "4" then "arp" else "ndp"}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comment. I simplified this.
I see this problem is still in master. |
Please fix, rebase and LGTM, seems like an easy win. |
47582e2
to
8f4aca3
Compare
Done. |
Hey, I meant
but maybe what you wrote is more readable. I tested the PR, works fine, sets @flokli could you take a look? Thank you! |
@kfiz Please make this one single commit, and format the commit message properly. Also, the commit is missing a description on the why, as per
@brainrape I think the variant currently present in this PR is more readable. |
8f4aca3
to
1ab4e58
Compare
@flokli Done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also note the commit author seems to be different.
"net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
"net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); | ||
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | ||
} // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) | ||
(i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true))) | ||
(i: [(nameValuePair "net.ipv4.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true) | ||
(nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.proxy_ndp" true)])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems GitHub ate my comment.
This reads like we always set a wrong proxy_ndp sysctl (so it never worked), and even if we set it now, the kernel-provided ndp proxy infrastructure requires addition of each individual address to ndp proxy for (see https://github.com/DanielAdolfsson/ndppd/blob/master/README#L57)
It seems more useful to just remove the NDP-specific bits from the proxyARP
documentation, and let users either use ndppd (which is packaged in NixOS), or set options themselves.
Luckily, as it never worked before, we don't break any existing configurations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm...you are right. Setting proxy_ndp alone is not enough to make this work.
The question for me here would be whether a user who sets this knows that she has to additionally set something like ip -6 neigh add proxy <ip> dev <if>
or not. If she is aware of this then this PR is aligned with her expectations, if not than obviously not.
In any way, another way to go apart from your suggestion would be to generate a warning message that tells users that additional settings have to be specified for this to work and alternatively point to ndppd.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxyARP
shouldn't enable proxy NDP - these are two different concepts, and we shouldn't mix them. Given it never worked, I don't see a problem with removing the (disfunctional and dangerous) proxy NDP part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. We shouldn't mix the two. It's better to force users to make this decision consciously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you push a new commit changing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this.
b6e4d59
to
8eda489
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The description for networking.interfaces.<name?>.proxyARP
needs to be updated - it still refers to the NDP bits.
Also, please update the commit message to something like this:
tasks/networking-interfaces.nix: remove broken NDP bits from proxyARP option
The `networking.interfaces.<name?>.proxyARP` previously mentioned it would also enable IPv6 forwarding and `proxy_ndp`.
However, the `proxy_ndp` option was never actually set (as it did set the non-existing `net.ipv6.conf.proxy_arp` sysctl instead), and `proxy_ndp` also needs individual entries
for each ip to proxy for.
Proxy ARP and Proxy NDP are two different concepts, and enabling the latter
should be a conscious decision.
This commit removes the broken NDP support, and disables explicitly
enabling IPv6 forwarding (which is the default in most cases anyways)
Fixes #62339.
@@ -1055,11 +1055,12 @@ in | |||
optionalString hasBonds "options bonding max_bonds=0"; | |||
|
|||
boot.kernel.sysctl = { | |||
"net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); | |||
"net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); | |||
"net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); | |||
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I missed this line. With all the NDP stuff gone, we also shouldn't enable ipv6 forwarding on proxyARP
anymore.
This however now should get a release note entry now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@flokli What do you think. Are we good to go?
The `networking.interfaces.<name?>.proxyARP` option previously mentioned it would also enable IPv6 forwarding and `proxy_ndp`. However, the `proxy_ndp` option was never actually set (the non-existing `net.ipv6.conf.proxy_arp` sysctl was set instead). In addition `proxy_ndp` also needs individual entries for each ip to proxy for. Proxy ARP and Proxy NDP are two different concepts, and enabling the latter should be a conscious decision. This commit removes the broken NDP support, and disables explicitly enabling IPv6 forwarding (which is the default in most cases anyways) Fixes NixOS#62339.
8eda489
to
5d3a72f
Compare
Thanks! |
…roxy_ndp for ipv6 for interfaces that set proxy_ARP
Motivation for this change
Fixes #62339
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)