newedge/liminix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,495 Commits 4 Branches 0 Tags
e5cfd410138c7474e66c26a0831dc1242510f438
Commit Graph

1495 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Daniel Barlow
e5cfd41013 add nft_limit kmodule for rate limiting in firewall 2025-03-21 21:19:48 +00:00
Daniel Barlow
0ae5689a40 support maps in firewallgen 2025-03-21 21:19:18 +00:00
Daniel Barlow
45047dc023 squahs falls back 2025-03-21 21:09:05 +00:00
Daniel Barlow
3673804b93 think 2025-03-21 21:08:17 +00:00
Daniel Barlow
be03e9e8c8 service outputs falls back to properties (untested) 2025-03-18 18:38:04 +00:00
Daniel Barlow
4e51977ae0 provide properties attr to services 
properties are similar to outputs, but are different in that they are
fixed values (do not change) and are present even when the service is
down

if the attribute is present and an attrset, this will write the
equivalent recursive directory structure to $out/.properties/
 2025-03-12 23:35:56 +00:00
Daniel Barlow
2b0972ed73 svc.open accepts a /nix/store folder not an outputs folder 
this mostly makes things simpler
 2025-03-11 00:21:44 +00:00
Daniel Barlow
f22237a3b3 doc: filter src attribute to not rebuild as much 2025-03-10 23:08:37 +00:00
Daniel Barlow
9dc0f25587 min-copy-clocure test: ensure sshd up before starting 
this test goes wrong intermittently in CI, see if this makes it more
reliable
 2025-03-09 21:37:13 +00:00
Daniel Barlow
9ab77a7d7e remove unused function 2025-03-09 20:44:35 +00:00
Daniel Barlow
c6918fec00 firewall: use extraText for zone set contents 
* the lua necessary is quite wordy, but it's less of a hack than
post-processing the rules file with pseudo-sed to get rid of `elements
= { }` lines

* also switch from stop/starting the firewall service to using a
signal, so that we don't go briefly offline every time a new interface
appears
 2025-03-09 20:42:02 +00:00
Daniel Barlow
d4e46dbe28 secrets/subscriber don't depend on the services we're watching 
this means a watched service can stop and start without killing
the subscriber, and that we can watch for services that don't
yet exist
 2025-03-09 20:35:40 +00:00
Daniel Barlow
d1f87a56e0 secrets/subscriber: use correct numbers for signals to s6-svc 2025-03-09 20:34:29 +00:00
Daniel Barlow
8c39b47cae output-template: allow splicing statements instead of expression 
if the text inside the delimiters begins with ; (a semicolon) then
the rest of it is expected to be one or more Lua statements. It needs
to say `return "foo"` to interpolate anything, as there is no
implicit return of the value of the last statement
 2025-03-05 22:38:48 +00:00
Daniel Barlow
2c7a16d792 firewallgen: add extraText param to set 
anything in here is added verbatim to the set definition
 2025-03-05 22:36:35 +00:00
Daniel Barlow
d6b06abb63 delet second copy of output-template 2025-03-02 21:34:02 +00:00
Daniel Barlow
6b32aa569e think 2025-03-02 21:21:45 +00:00
Daniel Barlow
234d1bd87e basic unit tests for output-template 2025-03-02 21:14:46 +00:00
Daniel Barlow
c38f180fb7 output-template expose table module 2025-03-02 21:14:16 +00:00
Daniel Barlow
9a8b22997c output-template: pass the tests 2025-03-02 21:09:32 +00:00
Daniel Barlow
c32d09bd83 output-template: run the tests 2025-03-02 21:09:11 +00:00
Daniel Barlow
6649ebeccd firewall: use watch-outputs to track changes in zone->interface map 
includes a horrible hack to work around (claimed (by me)) deficiencies
in the nftables parser
 2025-02-28 00:43:20 +00:00
Daniel Barlow
929226ed9e delete commented code 2025-02-27 20:55:30 +00:00
Daniel Barlow
a98f026210 think 2025-02-27 20:54:44 +00:00
Daniel Barlow
f4dc001b71 check firewall zones in pppoe test 2025-02-25 23:32:05 +00:00
Daniel Barlow
024c018262 run the output-template test 2025-02-22 00:10:19 +00:00
Daniel Barlow
e1293e3778 think 2025-02-21 23:22:39 +00:00
Daniel Barlow
0c406058e9 remove acceotance of udp sport 5 on wan 
this was added for replies to dns queries but isn't needed for
that purpose as connection tracking does that anyway
 2025-02-12 21:54:01 +00:00
Daniel Barlow
19d441333c remove duplicate rule 2025-02-10 23:50:07 +00:00
Daniel Barlow
a726c09ae4 improve explanaton of reverse path filtering rule 
thanks RoS for the references :-)
 2025-02-10 23:48:29 +00:00
Daniel Barlow
7e2b0068e6 nixfmt-rfc-style 
There is nothing in this commit except for the changes made by
nix-shell -p nixfmt-rfc-style --run "nixfmt ."

If this has mucked up your open branches then sorry about that. You
can probably nixfmt them to match before merging
 2025-02-10 21:55:08 +00:00
dan
13cc5a8992 Merge pull request 'support firewall zones: don't hardcode interface names in rules' (#16) from firescape into main 
Reviewed-on: https://gti.telent.net/dan/liminix/pulls/16
 2025-02-10 21:23:15 +00:00
Daniel Barlow
3f889c7119 default firewall zones in gateway profile 2025-02-10 21:21:08 +00:00
Daniel Barlow
7f17125039 firewall: update zones with interface names as they appear 2025-02-10 21:21:08 +00:00
Daniel Barlow
4bb081ffcf export anoia.svc:fileno so it can be used with event loops 2025-02-10 21:21:08 +00:00
Daniel Barlow
6587813577 WIP add zones to firewall module 
- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets
 2025-02-10 21:21:08 +00:00
Daniel Barlow
1d780de0f1 add (very basic) set support in firewallgen 
and add sets for lan/wan/dmz/guest interface names to default
firewall rules
 2025-02-10 21:17:43 +00:00
Daniel Barlow
8cf602da91 think 2025-02-10 21:17:43 +00:00
Daniel Barlow
c92aacc6fd firewall rules: use @lan and @wan sets instead of ifnames 
we don't have anything yet to create or populate the sets
 2025-02-06 09:22:41 +00:00
Daniel Barlow
eff255fe12 boot.expect: sleep more, for gl-ar750 
the bootloader on gl-ar750 loses characters if we shovel them too fast
 2025-02-05 20:35:04 +00:00
Daniel Barlow
453baede61 rt3200: add installer compatibility note 2025-02-05 20:35:04 +00:00
dan
2295ed3110 Merge pull request 'OpenWrt One device support' (#13) from raboof/liminix:openwrt-one into main 
Reviewed-on: https://gti.telent.net/dan/liminix/pulls/13
 2025-01-08 13:57:39 +00:00
Arnout Engelen
e71d92eb3d OpenWrt One support 
https://openwrt.org/toh/openwrt/one
 2025-01-07 16:10:04 +01:00
Daniel Barlow
f77da6f14c remove remaining refs to kexecboot 2025-01-05 17:22:30 +00:00
Daniel Barlow
61eaaa82eb drivel 2025-01-05 17:17:44 +00:00
Daniel Barlow
95dd1a1fab add missing code-block 2025-01-05 15:45:04 +00:00
Daniel Barlow
2f9b0f12f9 switch uid 2025-01-05 12:57:51 +00:00
Daniel Barlow
9fd9b8b878 rt3200 kconfig for 6.6.x 
* DMA stuff needed for wired ethernet

* DSA MDIO _probably_ (based on guessing from openwrt dmesg) needed
for wired ethernet

* some or all of NVMEM so that wireless drivers can read their eeprom
 2025-01-05 00:16:03 +00:00
Daniel Barlow
26f206d0e1 phram dtb reserved-memory needs no-map 
c.f. 69429404ab

Co-authored-by: Arnout Engelen <arnout@bzzt.net>
 2025-01-04 23:50:44 +00:00
Daniel Barlow
8cd068ea68 belkin rt3200: set tftp loadAddress to match u-boot 
the old value of 0x4007ff28 was originally copied from something
upstreamy but I have no record of what. 0x48000000 is $loadaddr
in u-boot so let's use that instead
 2025-01-04 23:48:19 +00:00