[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Guix Network Router?
|
From: |
Niklas Schmidt |
|
Subject: |
Re: Guix Network Router? |
|
Date: |
Thu, 1 Sep 2022 19:00:12 +0000 |
On Tue, Aug 30, 2022 at 13:27:45 -0400, Peter Polidoro wrote:
This looks great, thank you!
I will test it out as soon as I get a chance.
Great!
- Set up static IPv4-only networking.
For my particular case I would like a dynamic IP address on the wan
interface and static IP addresses on the lan interfaces if that is
possible.
I haven't used DHCP. If you find out that dhcp-client-service-type is
not flexible enough to listen only on the wan interface, you can always
write your own service definition as I did for Dnsmasq.
To run without error, the code requires
nftables to be installed as it is used to check the rules.
Does nftables-service-type automatically install nftables?
Good you ask! My wording was a bit sloppy.
By specifying nftables-service-type, Guix does all necessary steps to
configure the Linux kernel's Netfilter. So you don't have to think about
that.
But have a look at these lines from my last mail:
(let ((port (open-output-pipe "nft -c -f -")))
(display (plain-file-content %my-nftables-ruleset) port)
(if (not (eqv? 0 (status:exit-val (close-pipe port))))
(error "Nftables rules don't pass check")))
For the first test, you can just remove these four lines of code and
don't worry about it.
I wrote this code, because I wanted to ensure that the rules are at
least syntactically correct before Guix activates the new operating
system definition. The main reason is that my router machine is quite
slow and reconfiguration takes, say, a minute or so.
If you configure your system with syntactically incorrect rules, 'herd
status' (perhaps with 'sudo' in front of it) will report the service
failing and there might be log messages at /var/log/messages. Make sure
to have console access to the machine, as SSH (and networking in
general) is likely to not work.
The above code invokes the 'nft' binary in check mode (-c) and pipes to
it's standard input the rules, which are to be included in the operating
system definition.
If you don't have nft in a directory listed in your PATH environment
variable, trying to invoke nft will lead to some error (a non-zero exit
code of the shell). At this point, my code will just fail and you get no
operating system definition at all.
There are more elegant ways to perform such a check. I am convinced it
is possible to let the build daemon execute the check, but I haven't
looked into that.
Greetings
Niklas
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Guix Network Router?,
Niklas Schmidt <=