movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos/network-interfaces: always apply privacy extensions

Browse source 
Fixes #56306
This commit is contained in:
Linus Heckemann 2019-04-11 19:41:47 +02:00
parent fef728b6ea
commit 26317b02ae
2 changed files with 18 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/tasks/network-interfaces.nix
View file

@ -1087,7 +1087,14 @@ in
virtualisation.vswitch = mkIf (cfg.vswitches != { }) { enable = true; }; virtualisation.vswitch = mkIf (cfg.vswitches != { }) { enable = true; };
services.udev.packages = mkIf (cfg.wlanInterfaces != {}) [ services.udev.packages = [
(pkgs.writeTextFile rec {
name = "99-ipv6-privacy-extensions.rules";
destination = "/etc/udev/rules.d/99-${name}";
text = ''
ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.%k.use_tempaddr=2"
'';
}) ] ++ lib.optional (cfg.wlanInterfaces != {})
(pkgs.writeTextFile { (pkgs.writeTextFile {
name = "99-zzz-40-wlanInterfaces.rules"; name = "99-zzz-40-wlanInterfaces.rules";
destination = "/etc/udev/rules.d/99-zzz-40-wlanInterfaces.rules"; destination = "/etc/udev/rules.d/99-zzz-40-wlanInterfaces.rules";
@ -1161,8 +1168,7 @@ in
# Generate the same systemd events for both 'add' and 'move' udev events. # Generate the same systemd events for both 'add' and 'move' udev events.
ACTION=="move", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", NAME=="${device}", ${systemdAttrs curInterface._iName} ACTION=="move", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", NAME=="${device}", ${systemdAttrs curInterface._iName}
''); '');
}) ]; });
}; };
} }

11
nixos/tests/ipv6.nix
View file

@ -1,14 +1,16 @@
# Test of IPv6 functionality in NixOS, including whether router # Test of IPv6 functionality in NixOS, including whether router
# solicication/advertisement using radvd works. # solicication/advertisement using radvd works.
import ./make-test.nix ({ pkgs, ...} : { import ./make-test.nix ({ pkgs, lib, ...} : {
name = "ipv6"; name = "ipv6";
meta = with pkgs.stdenv.lib.maintainers; { meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco ]; maintainers = [ eelco ];
}; };
nodes = nodes =
{ client = { ... }: { }; # Remove the interface configuration provided by makeTest so that the
# interfaces are all configured implicitly
{ client = { ... }: { networking.interfaces = lib.mkForce {}; };
server = server =
{ ... }: { ... }:
@ -73,6 +75,11 @@ import ./make-test.nix ({ pkgs, ...} : {
$client->succeed("curl --fail -g http://[$serverIp]"); $client->succeed("curl --fail -g http://[$serverIp]");
$client->fail("curl --fail -g http://[$clientIp]"); $client->fail("curl --fail -g http://[$clientIp]");
}; };
subtest "privacy extensions", sub {
my $ip = waitForAddress $client, "eth1", "global temporary";
# Default route should have "src <temporary address>" in it
$client->succeed("ip r g ::2 | grep $ip");
};
# TODO: test reachability of a machine on another network. # TODO: test reachability of a machine on another network.
''; '';