diff options
| author | Luke Granger-Brown <git@lukegb.com> | 2025-08-10 17:50:45 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-08-10 17:50:45 +0200 |
| commit | 7f552ff771cf6d4616c26df8beeea170be371891 (patch) | |
| tree | 3b8b5ef08c59aadf18b815fcc0da2565b19e94ce | |
| parent | vimPlugins.workspaces-nvim: init at 2024-10-08 (#432480) (diff) | |
| parent | nixos/tayga: add option to allow toggling WKPF strict compliance (diff) | |
| download | nixpkgs-7f552ff771cf6d4616c26df8beeea170be371891.tar.gz | |
tayga: 0.9.2 -> 0.9.5 (#432528)
| -rw-r--r-- | nixos/modules/services/networking/tayga.nix | 26 | ||||
| -rw-r--r-- | nixos/tests/tayga.nix | 29 | ||||
| -rw-r--r-- | pkgs/by-name/ta/tayga/package.nix | 29 |
3 files changed, 68 insertions, 16 deletions
diff --git a/nixos/modules/services/networking/tayga.nix b/nixos/modules/services/networking/tayga.nix index 062d8fe52317..8a039aa75abf 100644 --- a/nixos/modules/services/networking/tayga.nix +++ b/nixos/modules/services/networking/tayga.nix @@ -23,6 +23,12 @@ let data-dir ${cfg.dataDir} ${concatStringsSep "\n" (mapAttrsToList (ipv4: ipv6: "map " + ipv4 + " " + ipv6) cfg.mappings)} + + ${optionalString ((builtins.length cfg.log) > 0) '' + log ${concatStringsSep " " cfg.log} + ''} + + wkpf-strict ${if cfg.wkpfStrict then "yes" else "no"} ''; addrOpts = @@ -132,6 +138,21 @@ in } ''; }; + + log = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Packet errors to log (drop, reject, icmp, self)"; + example = literalExpression '' + [ "drop" "reject" "icmp" "self" ] + ''; + }; + + wkpfStrict = mkOption { + type = types.bool; + default = true; + description = "Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix. Must be enabled for RFC 6052 compatibility."; + }; }; }; @@ -171,13 +192,16 @@ in }; }; + environment.etc."tayga.conf".source = configFile; + systemd.services.tayga = { description = "Stateless NAT64 implementation"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + reloadTriggers = [ configFile ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config ${configFile}"; + ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config /etc/tayga.conf"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; Restart = "always"; diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix index 32512224bb58..61e7724a9413 100644 --- a/nixos/tests/tayga.nix +++ b/nixos/tests/tayga.nix @@ -31,11 +31,10 @@ }; nodes = { - # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1 - # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the - # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of - # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from - # RFC 6589 (Carrier Grade NAT) is used here. + # The server is configured with static IPv4 addresses. We have to disable the + # well-known prefix restrictions (as required by RFC 6052 Section 3.1) because + # we're using private space (TAYGA also considers documentation space non-global, + # unfortunately). # To reach the IPv4 address pool of the NAT64 gateway, there is a static # route configured. In normal cases, where the router would also source NAT # the pool addresses to one IPv4 addresses, this would not be needed. @@ -63,6 +62,7 @@ }; }; programs.mtr.enable = true; + environment.systemPackages = [ pkgs.tcpdump ]; }; # The router is configured with static IPv4 addresses towards the server @@ -87,6 +87,7 @@ ]; networking = { + hostName = "router-systemd"; useDHCP = false; useNetworkd = true; firewall.enable = false; @@ -137,7 +138,15 @@ mappings = { "192.0.2.42" = "2001:db8::2"; }; + log = [ + "drop" + "reject" + "icmp" + "self" + ]; + wkpfStrict = false; }; + environment.systemPackages = [ pkgs.tcpdump ]; }; router_nixos = { @@ -152,6 +161,7 @@ ]; networking = { + hostName = "router-nixos"; useDHCP = false; firewall.enable = false; interfaces.eth1 = lib.mkForce { @@ -201,7 +211,15 @@ mappings = { "192.0.2.42" = "2001:db8::2"; }; + log = [ + "drop" + "reject" + "icmp" + "self" + ]; + wkpfStrict = false; }; + environment.systemPackages = [ pkgs.tcpdump ]; }; # The client is configured with static IPv6 addresses. It has also a static @@ -233,6 +251,7 @@ }; }; programs.mtr.enable = true; + environment.systemPackages = [ pkgs.tcpdump ]; }; }; diff --git a/pkgs/by-name/ta/tayga/package.nix b/pkgs/by-name/ta/tayga/package.nix index bc6052464938..5e6adac35c75 100644 --- a/pkgs/by-name/ta/tayga/package.nix +++ b/pkgs/by-name/ta/tayga/package.nix @@ -1,23 +1,32 @@ { lib, stdenv, - fetchurl, + fetchFromGitHub, nixosTests, }: stdenv.mkDerivation (finalAttrs: { - version = "0.9.2"; + version = "0.9.5"; pname = "tayga"; - src = fetchurl { - url = "http://www.litech.org/tayga/tayga-${finalAttrs.version}.tar.bz2"; - hash = "sha256-Kx95J6nS3P+Qla/zwnGSSwUsz9L6ypWIsndDGkTwAJw="; + src = fetchFromGitHub { + owner = "apalrd"; + repo = "tayga"; + tag = finalAttrs.version; + hash = "sha256-xOm4fetFq2UGuhOojrT8WOcX78c6MLTMVbDv+O62x2E="; }; - env.NIX_CFLAGS_COMPILE = toString [ - "-Wno-address-of-packed-member" - "-Wno-implicit-function-declaration" - ]; + preBuild = '' + echo "#define TAYGA_VERSION \"${finalAttrs.version}\"" > version.h + ''; + + installPhase = '' + install -Dm755 tayga $out/bin/tayga + install -D tayga.conf.5 $out/share/man/man5/tayga.conf.5 + install -D tayga.8 $out/share/man/man8/tayga.8 + cp -R docs $out/share/ + cp tayga.conf.example $out/share/docs/ + ''; passthru.tests.tayga = nixosTests.tayga; @@ -30,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { It is intended to provide production-quality NAT64 service for networks where dedicated NAT64 hardware would be overkill. ''; - homepage = "http://www.litech.org/tayga"; + homepage = "https://github.com/apalrd/tayga"; license = licenses.gpl2Plus; maintainers = with maintainers; [ _0x4A6F ]; platforms = platforms.linux; |