From 291ebce9434459f04b7b5b87cf4b369be1fb026d Mon Sep 17 00:00:00 2001 From: June Date: Wed, 6 May 2026 14:42:34 +0200 Subject: [PATCH] router(host): configure public (v4) network --- .../chaosknoten/router/nftables/nftables.conf | 15 ++++++++---- .../systemd_networkd/10-net0.5-public.netdev | 6 +++++ .../router/systemd_networkd/20-net0.network | 2 +- .../systemd_networkd/21-net0.5-public.network | 23 +++++++++++++++++++ 4 files changed, 40 insertions(+), 6 deletions(-) create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index ca62a97..b9978d8 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -7,14 +7,19 @@ define if_net1_v4_wan = "net1" define if_net2_v6_wan = "net2" define if_net0_2_v4_nat = "net0.2" define if_net0_3_ci_runner = "net0.3" +define if_net0_5_public = "net0.5" # Interface Groups define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, - $if_net0_3_ci_runner } -# define v4_exposed_ifs = { } -define v6_exposed_ifs = { $if_net0_2_v4_nat } + $if_net0_3_ci_runner, + $if_net0_5_public } +define v4_exposed_ifs = { $if_net0_5_public } +define v6_exposed_ifs = { $if_net0_2_v4_nat, + $if_net0_5_public } +define v4_nat_ifs = { $if_net0_2_v4_nat, + $if_net0_3_ci_runner } ## Rules @@ -73,7 +78,7 @@ table ip v4nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; - oifname $if_net1_v4_wan masquerade + iifname $v4_nat_ifs oifname $if_net1_v4_wan masquerade } } @@ -89,7 +94,7 @@ table inet forward { meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" # Allow access to exposed networks from internet. - # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev new file mode 100644 index 0000000..be3c9d9 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=net0.5 +Kind=vlan + +[VLAN] +Id=5 diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network index a32d75e..a9104ff 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net0.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -7,6 +7,6 @@ RequiredForOnline=no [Network] VLAN=net0.2 VLAN=net0.3 +VLAN=net0.5 LinkLocalAddressing=no - diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network new file mode 100644 index 0000000..2a7b0db --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.5 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=public + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=212.12.50.209/29 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:105::/64 +Assign=true +Token=static:::1