diff options
| author | Luke Granger-Brown <git@lukegb.com> | 2025-08-10 16:41:43 +0200 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2025-08-10 17:00:13 +0200 |
| commit | 4548324aae5650a39e9a77816f6f2de4f16e0ed6 (patch) | |
| tree | 66e04766c44910342db911ef5166a0a772592308 | |
| parent | nixos/tayga: add log option (diff) | |
| download | nixpkgs-4548324aae5650a39e9a77816f6f2de4f16e0ed6.tar.gz | |
nixos/tayga: add option to allow toggling WKPF strict compliance
The RFC requires that we don't allow access to non-global v4 addresses
using the well-known 64:ff9b:: prefix, but there are some deployments
where it's convenient to permit this.
To make this work in tests, disable wkpf-strictness via the config
option introduced in bc18503e2ff1ee48ac472a67ba982dae76a5c2d3.
Tayga added 100.64.0.0 to the set of WKPF in
4dff17ef61821f5bc1996ce687a3dc317fd4fa50.
| -rw-r--r-- | nixos/modules/services/networking/tayga.nix | 8 | ||||
| -rw-r--r-- | nixos/tests/tayga.nix | 11 |
2 files changed, 14 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/tayga.nix b/nixos/modules/services/networking/tayga.nix index 047c9ba396be..8a039aa75abf 100644 --- a/nixos/modules/services/networking/tayga.nix +++ b/nixos/modules/services/networking/tayga.nix @@ -27,6 +27,8 @@ let ${optionalString ((builtins.length cfg.log) > 0) '' log ${concatStringsSep " " cfg.log} ''} + + wkpf-strict ${if cfg.wkpfStrict then "yes" else "no"} ''; addrOpts = @@ -145,6 +147,12 @@ in [ "drop" "reject" "icmp" "self" ] ''; }; + + wkpfStrict = mkOption { + type = types.bool; + default = true; + description = "Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix. Must be enabled for RFC 6052 compatibility."; + }; }; }; diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix index 5076a05c884b..61e7724a9413 100644 --- a/nixos/tests/tayga.nix +++ b/nixos/tests/tayga.nix @@ -31,11 +31,10 @@ }; nodes = { - # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1 - # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the - # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of - # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from - # RFC 6589 (Carrier Grade NAT) is used here. + # The server is configured with static IPv4 addresses. We have to disable the + # well-known prefix restrictions (as required by RFC 6052 Section 3.1) because + # we're using private space (TAYGA also considers documentation space non-global, + # unfortunately). # To reach the IPv4 address pool of the NAT64 gateway, there is a static # route configured. In normal cases, where the router would also source NAT # the pool addresses to one IPv4 addresses, this would not be needed. @@ -145,6 +144,7 @@ "icmp" "self" ]; + wkpfStrict = false; }; environment.systemPackages = [ pkgs.tcpdump ]; }; @@ -217,6 +217,7 @@ "icmp" "self" ]; + wkpfStrict = false; }; environment.systemPackages = [ pkgs.tcpdump ]; }; |