diff options
| -rw-r--r-- | nixos/modules/services/networking/tayga.nix | 8 | ||||
| -rw-r--r-- | nixos/tests/tayga.nix | 11 |
2 files changed, 14 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/tayga.nix b/nixos/modules/services/networking/tayga.nix index 047c9ba396be..8a039aa75abf 100644 --- a/nixos/modules/services/networking/tayga.nix +++ b/nixos/modules/services/networking/tayga.nix @@ -27,6 +27,8 @@ let ${optionalString ((builtins.length cfg.log) > 0) '' log ${concatStringsSep " " cfg.log} ''} + + wkpf-strict ${if cfg.wkpfStrict then "yes" else "no"} ''; addrOpts = @@ -145,6 +147,12 @@ in [ "drop" "reject" "icmp" "self" ] ''; }; + + wkpfStrict = mkOption { + type = types.bool; + default = true; + description = "Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix. Must be enabled for RFC 6052 compatibility."; + }; }; }; diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix index 5076a05c884b..61e7724a9413 100644 --- a/nixos/tests/tayga.nix +++ b/nixos/tests/tayga.nix @@ -31,11 +31,10 @@ }; nodes = { - # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1 - # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the - # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of - # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from - # RFC 6589 (Carrier Grade NAT) is used here. + # The server is configured with static IPv4 addresses. We have to disable the + # well-known prefix restrictions (as required by RFC 6052 Section 3.1) because + # we're using private space (TAYGA also considers documentation space non-global, + # unfortunately). # To reach the IPv4 address pool of the NAT64 gateway, there is a static # route configured. In normal cases, where the router would also source NAT # the pool addresses to one IPv4 addresses, this would not be needed. @@ -145,6 +144,7 @@ "icmp" "self" ]; + wkpfStrict = false; }; environment.systemPackages = [ pkgs.tcpdump ]; }; @@ -217,6 +217,7 @@ "icmp" "self" ]; + wkpfStrict = false; }; environment.systemPackages = [ pkgs.tcpdump ]; }; |