diff options
| author | Joachim F <joachifm@users.noreply.github.com> | 2018-02-17 08:41:23 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-17 08:41:23 +0000 |
| commit | 7bf049a54c3b4d800baacf201cdeac2d7279cd3c (patch) | |
| tree | cfb8d578107e889afdbb59af188cc799cf4045c0 /nixos/modules/tasks | |
| parent | 87f6e05dd458bb1376f0ddfd33ac2393e11b0a29 (diff) | |
| parent | 4050c30da2e0ec42123c381be1312b8d0b2cc118 (diff) | |
| download | nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.tar nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.tar.gz nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.tar.bz2 nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.tar.lz nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.tar.xz nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.tar.zst nixlib-7bf049a54c3b4d800baacf201cdeac2d7279cd3c.zip | |
Merge pull request #34492 from rnhmjoj/privacy
nixos/networking-interfaces: add preferTempAddress option
Diffstat (limited to 'nixos/modules/tasks')
| -rw-r--r-- | nixos/modules/tasks/network-interfaces-systemd.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 22 |
2 files changed, 20 insertions, 3 deletions
diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 5d72ad0f1bde..be7f52a76def 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -91,6 +91,7 @@ in (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); address = flip map (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); + networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; }))) (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f4851988d63d..f80c5045c07d 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -155,6 +155,16 @@ let description = "Name of the interface."; }; + preferTempAddress = mkOption { + type = types.bool; + default = cfg.enableIPv6; + defaultText = literalExample "config.networking.enableIpv6"; + description = '' + When using SLAAC prefer a temporary (IPv6) address over the EUI-64 + address for originating connections. This is used to reduce tracking. + ''; + }; + useDHCP = mkOption { type = types.nullOr types.bool; default = null; @@ -941,6 +951,11 @@ in message = '' The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. ''; + })) ++ (flip map interfaces (i: { + assertion = i.preferTempAddress -> cfg.enableIPv6; + message = '' + Temporary addresses are only needed when IPv6 is enabled. + ''; })) ++ [ { assertion = cfg.hostId == null || (stringLength cfg.hostId == 8 && isHexString cfg.hostId); @@ -963,9 +978,10 @@ in "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); - } // listToAttrs (concatLists (flip map (filter (i: i.proxyARP) interfaces) - (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)) - )); + } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) + (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) + (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux # kernel because we need the ambient capability |