atomic-pi: fix IP forwarding config

lopsided98 · Aug 11, 2024 · a0f8fe6 · a0f8fe6
1 parent fa92f79
commit a0f8fe6
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 3 deletions.
diff --git a/modules/local/networking/home.nix b/modules/local/networking/home.nix
@@ -34,6 +34,15 @@ let
         description = "IPv6 prefix delegation to request using DHCPv6";
       };
 
+      ipv4Forwarding = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to allow IPv4 forwarding on this interface. Linux has no
+          per-interface IPv6 forwarding setting.
+        '';
+      };
+
       initrd = mkEnableOption "network in initrd";
     };
   });
@@ -95,7 +104,19 @@ in {
         {
           name = interface;
           inherit (cfg) dns;
-          networkConfig.MulticastDNS = "yes";
+          networkConfig = {
+            MulticastDNS = "yes";
+            # Despite the name, net.ipv6.conf.<interface>.forwarding doesn't
+            # control forwarding at all. Instead, it controls the IsRouter flag
+            # in neighbor advertisments, whether router advertisments are
+            # accepted and whether router solicitations are sent. In practice
+            # this probably doesn't matter since systemd-networkd is handling
+            # all of this rather than the kernel, but explicitly set it to false
+            # anyway to maintain the normal behavior even if other interfaces
+            # are using forwarding.
+            # See: https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html
+            IPv6Forwarding = false;
+          };
           dhcpV4Config.UseDNS = false;
           dhcpV6Config = {
             # Router gives out address as part of DHCPv6, but we only want
@@ -125,6 +146,9 @@ in {
             PrefixDelegationHint = interfaceCfg.ipv6DelegatedPrefix;
           };
         })
+        (mkIf (interfaceCfg.ipv4Forwarding) {
+          networkConfig.IPv4Forwarding = true;
+        })
       ];
     };
   in mkMerge [

diff --git a/modules/local/networking/vpn/home/wireguard/server.nix b/modules/local/networking/vpn/home/wireguard/server.nix
@@ -89,16 +89,27 @@ in {
           networkConfig = {
             IPv6AcceptRA = false;
             DHCPPrefixDelegation = true;
-            IPForward = true;
+            IPv4Forwarding = true;
+            # Doesn't actually control forwarding and probably doesn't matter if
+            # we set it, but it doesn't hurt.
+            # See: https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html
+            IPv6Forwarding = true;
           };
           dhcpPrefixDelegationConfig = {
             SubnetId = 0;
             Assign = false;
           };
         };
+
+        # Enables forwarding globally. Linux has no per-interface setting; you
+        # are supposed to use the firewall.
+        config.networkConfig.IPv6Forwarding = true;
       };
 
-      local.networking.home.interfaces.${cfg.server.uplinkInterface}.ipv6DelegatedPrefix = cfg.ipv6Prefix;
+      local.networking.home.interfaces.${cfg.server.uplinkInterface} = {
+        ipv6DelegatedPrefix = cfg.ipv6Prefix;
+        ipv4Forwarding = true;
+      };
 
       environment.systemPackages = [ pkgs.wireguard-tools ];