Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

network-interfaces: restrict ipv6 udev rules #240295

Merged
merged 1 commit into from
Jul 6, 2023
Merged

network-interfaces: restrict ipv6 udev rules #240295

merged 1 commit into from
Jul 6, 2023

Conversation

sysvinit
Copy link
Contributor

Description of changes

The network-interfaces module generates udev rules to set IPv6 privacy address configuration on interfaces which have networking.interfaces.<iface>.tempAddress set to a value other than the global default in networking.tempAddresses. The generated udev rule for an interface ethfoo looks like e.g.:

ACTION=="add", SUBSYSTEM=="net", RUN+="/path/to/sysctl net.ipv6.conf.ethfoo.use_tempaddr=1"

However, this rule is missing a NAME== constraint to restrict it to a matching an interface with a specific name, which means that it will get triggered for every new network interface added to the system, not only ethfoo. This will result in the sysctl command being run once for every network interface attached to the system.

This change adds an extra constraint to the generated udev rule, so that it is only triggered once by the interface to which it applies the sysctl configuration.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@sysvinit
nixos/network-interfaces: restrict IPv6 privacy address overrides to …
3e96fd9 
…interface

Only trigger the privacy address override for a given interface when
that interface is added. Without restricting the rule to the
interface, this command would be run when any interface is added.
@rnhmjoj rnhmjoj requested a review from lheckemann June 28, 2023 09:21
rnhmjoj
rnhmjoj approved these changes Jul 6, 2023
View reviewed changes
Copy link
Contributor

@rnhmjoj rnhmjoj left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with

  networking.tempAddress = "default";
  networking.interfaces.lo.tempAddress = "disabled";

It seems to be working as expected:

# sysctl net.ipv6.conf | grep tempaddr
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.lo.use_tempaddr = 0
net.ipv6.conf.wlan0.use_tempaddr = 2

Thank you.

@rnhmjoj rnhmjoj merged commit d0b4889 into NixOS:master Jul 6, 2023
@sysvinit sysvinit deleted the sysvinit/udev-privacy-address-scope branch July 24, 2023 09:42
ctheune added a commit to flyingcircusio/nixpkgs that referenced this pull request Apr 22, 2024
@ctheune
Backport NixOS#240295
205fbcb
ctheune added a commit to flyingcircusio/nixpkgs that referenced this pull request Apr 30, 2024
@ctheune
network: simplify network interface units to make them more reliable
1c4192a 
All network interface now use "-netdev.service" units, even if they
have underlying physical devices and were previously depending on
systemd device units. This proved to be unreliable when trying to
transform systems between complex configuration states without
requiring a reboot and ended up in undefined states.

Includes a backport of NixOS#240295

Re PL-132441
@ctheune ctheune mentioned this pull request Apr 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rnhmjoj rnhmjoj rnhmjoj approved these changes

@lheckemann lheckemann Awaiting requested review from lheckemann

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sysvinit @rnhmjoj