newedge/liminix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,572 Commits 4 Branches 0 Tags
main
Commit Graph

459 Commits

Author SHA1 Message Date
Daniel Barlow
71aed767f2 switch logtap to use fifo unstead of af_unix 2025-10-08 20:10:11 +01:00
Daniel Barlow
a343e63231 rename logshipper -> logtap 
- it matches the executable name
- it doesn't ship anything anyway, it's just plumbing
 2025-10-08 20:10:11 +01:00
Daniel Barlow
cacde953cb don't ask chrony to drop privs, it needs libpcap 2025-10-08 20:10:11 +01:00
Daniel Barlow
7e6a59631a firewall needs the secrets subscriber 2025-08-12 20:07:39 +01:00
Daniel Barlow
f728b584a2 add "nobody" user needed by rp-pppoe 2025-04-14 21:27:44 +01:00
Daniel Barlow
210b41efc0 improve robustness of ppp readiness notification 
there was a race where ip-up could write ifname and then
ip6-up could write its outputs and then test ifname and
signal ready before ip-up had written the rest of its outputs
 2025-03-31 23:17:50 +01:00
Daniel Barlow
53c6d506cf dhcp6c subscribe to ppp ifindex 
when the peer bounces ppp, s6 will restart the ppp process but not
restart the dependent services (because the service isn't considered
to have gone down)

so the dependent services need to notice when the outputs from ppp
have changed
 2025-03-31 23:15:28 +01:00
Daniel Barlow
01fe2159b4 ppp: write ifindex as output 
because what happens if the service is restarted but the new ppp0 is
a different interface than the old one so that services which had
bound to it with the old name are now not getting new data

(I am not 100% that this actually happens but it seems like it would
be good to avoid it if it does)
 2025-03-31 23:11:30 +01:00
Daniel Barlow
d7d19b5ed0 dhcp6 client: fix service dir in address and prefix acquirers 
the scripts now expect the actual service dir instead of the .outputs
subdir
 2025-03-31 23:06:40 +01:00
Daniel Barlow
ee683f2202 firewall: fix syntax of icmp v4 rule 2025-03-31 23:03:24 +01:00
Daniel Barlow
d9723aeb87 secrets subscriber: make restart-all work 2025-03-31 23:01:48 +01:00
Daniel Barlow
46ed8f0199 add bandwidth as a service option for ppp (l2tp, pppoe) 2025-03-27 20:23:26 +00:00
Daniel Barlow
dd44fbaec1 rate limit for v4 icmp 2025-03-27 20:21:48 +00:00
Daniel Barlow
89065be6cd bandwidth is bits/second so divide by 8 2025-03-27 20:21:14 +00:00
Daniel Barlow
420320e434 firewall: remove unused args/names/vars 2025-03-27 18:40:07 +00:00
Daniel Barlow
1a6160bcab firewall: show how to ratelimit icmp6 to 5% of available bandwidth 
it's a little klunky as yet, requires setting properties.bandwidth on
the interface service
 2025-03-25 23:53:02 +00:00
Daniel Barlow
e5cfd41013 add nft_limit kmodule for rate limiting in firewall 2025-03-21 21:19:48 +00:00
Daniel Barlow
2b0972ed73 svc.open accepts a /nix/store folder not an outputs folder 
this mostly makes things simpler
 2025-03-11 00:21:44 +00:00
Daniel Barlow
9ab77a7d7e remove unused function 2025-03-09 20:44:35 +00:00
Daniel Barlow
c6918fec00 firewall: use extraText for zone set contents 
* the lua necessary is quite wordy, but it's less of a hack than
post-processing the rules file with pseudo-sed to get rid of `elements
= { }` lines

* also switch from stop/starting the firewall service to using a
signal, so that we don't go briefly offline every time a new interface
appears
 2025-03-09 20:42:02 +00:00
Daniel Barlow
d4e46dbe28 secrets/subscriber don't depend on the services we're watching 
this means a watched service can stop and start without killing
the subscriber, and that we can watch for services that don't
yet exist
 2025-03-09 20:35:40 +00:00
Daniel Barlow
d1f87a56e0 secrets/subscriber: use correct numbers for signals to s6-svc 2025-03-09 20:34:29 +00:00
Daniel Barlow
6649ebeccd firewall: use watch-outputs to track changes in zone->interface map 
includes a horrible hack to work around (claimed (by me)) deficiencies
in the nftables parser
 2025-02-28 00:43:20 +00:00
Daniel Barlow
0c406058e9 remove acceotance of udp sport 5 on wan 
this was added for replies to dns queries but isn't needed for
that purpose as connection tracking does that anyway
 2025-02-12 21:54:01 +00:00
Daniel Barlow
19d441333c remove duplicate rule 2025-02-10 23:50:07 +00:00
Daniel Barlow
a726c09ae4 improve explanaton of reverse path filtering rule 
thanks RoS for the references :-)
 2025-02-10 23:48:29 +00:00
Daniel Barlow
7e2b0068e6 nixfmt-rfc-style 
There is nothing in this commit except for the changes made by
nix-shell -p nixfmt-rfc-style --run "nixfmt ."

If this has mucked up your open branches then sorry about that. You
can probably nixfmt them to match before merging
 2025-02-10 21:55:08 +00:00
Daniel Barlow
3f889c7119 default firewall zones in gateway profile 2025-02-10 21:21:08 +00:00
Daniel Barlow
7f17125039 firewall: update zones with interface names as they appear 2025-02-10 21:21:08 +00:00
Daniel Barlow
6587813577 WIP add zones to firewall module 
- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets
 2025-02-10 21:21:08 +00:00
Daniel Barlow
1d780de0f1 add (very basic) set support in firewallgen 
and add sets for lan/wan/dmz/guest interface names to default
firewall rules
 2025-02-10 21:17:43 +00:00
Daniel Barlow
c92aacc6fd firewall rules: use @lan and @wan sets instead of ifnames 
we don't have anything yet to create or populate the sets
 2025-02-06 09:22:41 +00:00
Daniel Barlow
f77da6f14c remove remaining refs to kexecboot 2025-01-05 17:22:30 +00:00
Daniel Barlow
26f206d0e1 phram dtb reserved-memory needs no-map 
c.f. 69429404ab

Co-authored-by: Arnout Engelen <arnout@bzzt.net>
 2025-01-04 23:50:44 +00:00
Daniel Barlow
13cb8d3692 sort imports 2025-01-03 15:41:22 +00:00
Daniel Barlow
62b7aea8ab add btrfs.nix to outputs imports 2025-01-03 15:40:33 +00:00
Daniel Barlow
92284fa9ba mtdimage can't be a default import 
it adds kernel config that depend on openwrt patches,
which aren't used/needed on all devices
 2025-01-03 00:19:17 +00:00
Daniel Barlow
74027b44d7 extract log persistence config from s6 to new module 
because it frobs kernel config, it breaks levitate
as levitate evalModules doesn't include the kernel
 2025-01-02 23:56:49 +00:00
Daniel Barlow
ea5370b3f4 import mtdimage in outputs 2025-01-02 23:37:07 +00:00
Daniel Barlow
7377f7ceb2 implement mechanism for reverting from update.sh 2025-01-02 22:19:49 +00:00
Daniel Barlow
cc94ef57fa in rc.init copy log from previous boot to place of safety 2025-01-01 18:22:45 +00:00
Daniel Barlow
497307588f automate ubimage instructions a little 2025-01-01 12:38:08 +00:00
Daniel Barlow
28d39cd66d provide etc/kconfig in updater output 
this is for debugging/documentation purposes and isn't copied to the
device
 2025-01-01 11:55:33 +00:00
Daniel Barlow
f2e4e77d73 firewall: don't use oifname in input rules 
because it's empty, these are input rules for the local machine
 2024-12-29 23:17:31 +00:00
Daniel Barlow
4d273a9469 dropbear would like /etc/shells to exist 2024-12-29 13:27:49 +00:00
Daniel Barlow
40db175b41 complain if user attempting to tftpboot a ubifs 2024-12-29 13:26:45 +00:00
Daniel Barlow
ab07212a7e include jffs2 module per default 
it has no effect unless enabled
 2024-12-29 13:26:06 +00:00
Daniel Barlow
294492a176 jiggle imports 2024-12-24 13:46:19 +00:00
Arnout Engelen
f8a275d1a3 use Linux kernel sources associated with openwrt by default 2024-12-24 12:30:15 +00:00
Daniel Barlow
bc20f4c6b7 rt3200 test install 2024-12-23 23:59:52 +00:00