From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id zBi6BboHEWPSGgAAbAwnHQ (envelope-from ) for ; Thu, 01 Sep 2022 21:27:54 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id GFKwA7oHEWOQLgAAG6o9tA (envelope-from ) for ; Thu, 01 Sep 2022 21:27:54 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9EA57E45E for ; Thu, 1 Sep 2022 21:27:53 +0200 (CEST) Received: from localhost ([::1]:36998 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oTpqy-000123-OL for larch@yhetil.org; Thu, 01 Sep 2022 15:27:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43852) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oTpQR-0004rD-AI for help-guix@gnu.org; Thu, 01 Sep 2022 15:00:40 -0400 Received: from mout02.posteo.de ([185.67.36.66]:54847) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oTpQM-00007E-5U for help-guix@gnu.org; Thu, 01 Sep 2022 15:00:24 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 6A6B5240105 for ; Thu, 1 Sep 2022 21:00:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1662058817; bh=65YjewcoLq6Ef/qRTk2tIYNkeQVyjSWgsuyQQPAzVyI=; h=Date:From:To:Cc:Subject:From; b=WJy1sWSTlYTJjQ0C/iGNiYNLFEOgX9AuMouu4zCyZojVFezoaI2zLyIoNunJcTUqM /rfG4yDFLLfbvBOeJKuKRs5L6DNSwGWPW0TVJ/vjm0v/MCy3a/9lAmI1WrfqCB+Cmr WNH7aiwsizb/M3fmBDdi0CNsLYpXmcmjkcFXwfDbpaSao1LKZuh/erznbb20Mjxcsw YGHaco2LIipjcQv8tFih3FG5uyfAup6j8STeXtViIXsK1PYt2Ly73emKf9nUmpcn2T J4IXZts1mLU/2Q5LNBAn2J1mHucYs3Te0PKzMWOQoDgiTeJJAjAUj3K1N7sEcJgY9u CroPe7KjSZ6ew== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4MJVjV22GXz9rxL; Thu, 1 Sep 2022 21:00:13 +0200 (CEST) Date: Thu, 1 Sep 2022 19:00:12 +0000 From: Niklas Schmidt To: Peter Polidoro Cc: help-guix@gnu.org Subject: Re: Guix Network Router? Message-ID: <20220901190012.zox7vflehib6cxdv@posteo.de> References: <868rndd3xx.fsf@polidoro.io> <20220829201208.bibzb4254v3e2bh7@posteo.de> <86a67lmy6p.fsf@polidoro.io> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: <86a67lmy6p.fsf@polidoro.io> Received-SPF: pass client-ip=185.67.36.66; envelope-from=snlabs@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1662060473; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=GMhzZHqwSfu6mLw/2MQxa6pPU6gxt04VMPOx2fb4/EY=; b=cgBmZg6izapZm3ht41Gh5N03KX2fu3LNu56HCxhq4TY9b7WbWya3w6jL8WNgGbj/lPTs37 a7RiC1MX4YRMOPZZeu2qZCYq1qXrz1GmfUzQqi0cu5qOjU8bq09F6Oq5FXtWdDoFIXqFW/ FXuJxDmSZfYAeL2OYbb3q/F+2xVFl3mbt4uGblLsutZ+ulxyLJ3uMHQBySC1+lpgVcUG1z 1oQWWiEwwKsYlnK5gWbeJZPtvJdJg+6dmjiThhpuaFFjaa49/cs4FUYsq6belnIp9JGSGj 7Txq1FaFDuQu3b4eoT3Q+moS8TEx+yYNkWz3BMKwESoBHUtiJenDHyKSsUg3AQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1662060473; a=rsa-sha256; cv=none; b=Z4Hu924x3RkJQvBxE21v45GLDpp/lj//NEWV4J1ycn+tlnUMBkfhITC8gEpL8levTZgHOu 9FCUT/KHonWjaSYzBFQ4Ko0ktpipwycPlhIq5K8xn8EVv/TeYZFdt86qntng+aURO46NV3 aClCzWMTfGyojvICt99QIdP6wepeb9n/ThyPUn/OEiIsz9UwF3cWWbzKlKJsSFssgO94O6 vtt6D1pihwXuyxv75lEQSckweqjopmqXi4WH/U6IvSu1RkgMCQc9maR8eCnwVOGlLXATuP KOi0d25TnfHQF2ATKbi/QV95QmDFG2rvTbDPbbSZYWY5LAIw1FjwDWM6lhCV7w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=WJy1sWST; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.48 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=WJy1sWST; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 9EA57E45E X-Spam-Score: -6.48 X-Migadu-Scanner: scn0.migadu.com X-TUID: SYsexH4HVCLB On Tue, Aug 30, 2022 at 13:27:45 -0400, Peter Polidoro wrote: >This looks great, thank you! > >I will test it out as soon as I get a chance. Great! >>- Set up static IPv4-only networking. > >For my particular case I would like a dynamic IP address on the wan >interface and static IP addresses on the lan interfaces if that is >possible. I haven't used DHCP. If you find out that dhcp-client-service-type is not flexible enough to listen only on the wan interface, you can always write your own service definition as I did for Dnsmasq. >>To run without error, the code requires >>nftables to be installed as it is used to check the rules. > >Does nftables-service-type automatically install nftables? > Good you ask! My wording was a bit sloppy. By specifying nftables-service-type, Guix does all necessary steps to configure the Linux kernel's Netfilter. So you don't have to think about that. But have a look at these lines from my last mail: (let ((port (open-output-pipe "nft -c -f -"))) (display (plain-file-content %my-nftables-ruleset) port) (if (not (eqv? 0 (status:exit-val (close-pipe port)))) (error "Nftables rules don't pass check"))) For the first test, you can just remove these four lines of code and don't worry about it. I wrote this code, because I wanted to ensure that the rules are at least syntactically correct before Guix activates the new operating system definition. The main reason is that my router machine is quite slow and reconfiguration takes, say, a minute or so. If you configure your system with syntactically incorrect rules, 'herd status' (perhaps with 'sudo' in front of it) will report the service failing and there might be log messages at /var/log/messages. Make sure to have console access to the machine, as SSH (and networking in general) is likely to not work. The above code invokes the 'nft' binary in check mode (-c) and pipes to it's standard input the rules, which are to be included in the operating system definition. If you don't have nft in a directory listed in your PATH environment variable, trying to invoke nft will lead to some error (a non-zero exit code of the shell). At this point, my code will just fail and you get no operating system definition at all. There are more elegant ways to perform such a check. I am convinced it is possible to let the build daemon execute the check, but I haven't looked into that. Greetings Niklas