Networking: need to configure networking a bit differently

markvd · April 14, 2023, 5:19pm

Hi everyone,

For my colocated server I want to configure networking slightly differently from what NixOS currently offers.

I have written a detailed bug report over at GitHub:

github.com/NixOS/nixpkgs

Suggestions for improvements to the network-interfaces.nix implementation of networking

opened 12:01AM - 09 Apr 23 UTC

closed 11:01AM - 17 Apr 23 UTC

voidzero

0.kind: bug

### Describe the bug There are a couple of (in my opion) bugs / missing feature…s pertaining to static IP address setup. I'd like to summarize them here and get a discussion or maybe someone to implement my suggested changes. I'm not skilled enough to make a pull request for these changes so I hope someone can work this out together with me. **Bug number 1**. Incorrect broadcast address for IPv4 hosts. Right now, let's say my data center gave me a couple of IPs in the subnet: 192.0.2.0/24. I configure them as follows in my flake: ``` networking = { interfaces = { eth0 = { ipv4.addresses = [ { address = "192.0.2.10"; prefixLength = 24; } { address = "192.0.2.11"; prefixLength = 24; } { address = "192.0.2.12"; prefixLength = 24; } { address = "192.0.2.13"; prefixLength = 24; } ]; }; }; }; ``` When running the flake, the problem is that these addresses do not get added with a valid broadcast address. The broadcast address is 0.0.0.0. We can see this in two ways. 1. `ifconfig eth0`: ``` eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.0.2.10 netmask 255.255.255.0 broadcast 0.0.0.0 ``` 2. `ip addr list dev eth0`: ``` 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 192.0.2.10/24 scope global eth0 ``` This last line _should_ actually read: `inet 192.0.2.10/24 brd 192.0.2.255` et cetera. This should easily be replaced by adding `brd +` to the `ip address add` command. A fully working command should look as follows: `ip address add 192.0.2.10/24 brd + dev eth0` Background: In my case this wrong broadcast address causes other servers that are connected to the same switch to not be able to get the ARP messages. So, other servers on the same switch cannot connect to this server and I have to manually change the addresses with e.g. `ip address replace 192.0.2.10/24 brd + dev eth0`. That doesn't really work either because it adds the address, and it creates unnecessary cruft in my config. So that's bug 1: incorrect broadcast address. **Bug number 2**: a bug which might also be regarded as a feature request, it's a bit in between both. The issue is as follows: currently, networking does not support any way to set a preferred_lft 0 option to an IP address. But this is something I really want to be able to do, because this allows me to set the default IP address to bind services to and so on. What I henceforth would want is the following: ``` interfaces = { eth0 = { ipv4.addresses = [ { address = "192.0.2.10"; prefixLength = 24; } { address = "192.0.2.11"; prefixLength = 24; preferred_lft = 0; } ]; }; }; ``` Why do it like this? Well, with many IP addresses bound to eth0, setting all-but-one to preferred_lft = 0 makes sure that services will not choose any of those preferred_lft = 0 addresses as its outgoing address. So, this is a method to make 192.0.2.10 the default address for outgoing packets, and the other ones have to be configured into a service explicitly. In other words - Linux will never choose an address with preferred_lft 0 as an outgoing IP address unless explicitly stated. Currently, in NixOS, this cannot be done. *note*: This applies to both IPv4 and IPv6 addresses. Solution: allow users to specify the preferred_lft option in an address. Onward to **bug number 3**, which is a bit separate from the other two but still just as important. It is about IPv6 addresses, routes, and an issue with "dad" = duplicate address detection. Let's say I have the following config: ``` interfaces = { eth1 = { ipv6.addresses = [ { address = "2001:db8:b33f:1a00::1"; prefixLength = 60; } ]; ipv6.routes = [ { address = "2001:db8:b33f:1a10::"; prefixLength = 60; options.src = "2001:db8:b33f:1a00::1"; } ]; }; }; ``` Here, by the startup script, the route will not be added. It will error with "invalid src address" even though the src address is correct. The reason is, that when the IPv6 is added to eth1 in this case, Linux will do a "dad" - duplicate address detection. Until it's done, that IP address is not yet 'ready for use.'. But the route is trying to be added *during* this detection. And since the detection is still busy, the IPv6 address is not yet fully assigned, and as such, the addition to the routing table is being rejected and the startup script for eth1 fails, exits uncleanly. Solution: add a 3 second sleep between the IP allocation and the route addition. Let me know what you guys think and whether someone who understands network-interfaces.nix is willing to implement these changes. Much thanks - Mark.

Can someone please help me with this?

Thanks, Mark

markvd · April 14, 2023, 6:10pm

So either I figure out how to change the module and use that for my own flake, and submit a PR once everything works as I’d like, or, I’d disable networking altogether and use a custom networking systemd init file. I’m at a loss for either. So pointers will be very much appreciated.

TLATER · April 15, 2023, 2:07am

I haven’t read through your full list of suggestions (nor do I think I can implement them without thinking really hard about your use cases), but the implementation of networking.interfaces lives here: nixpkgs/network-interfaces-scripted.nix at 2b1bba76a13ed39c7abc0a6e8f74f9e168cf3c7c · NixOS/nixpkgs · GitHub

It’s just a shell script, and a pretty straightforward one at that. Shouldn’t be too hard to add what you need. Some of the things you suggest are even already possible, I think.

You don’t have to modify the upstream module to do these things though. The module allows you to run arbitrary commands, so anything networking related you want to do is possible on NixOS: networking.localCommands.

Furthermore, if you’re really stuck with something bespoke that isn’t possible through the networking module yet, even with arbitrary shell commands (?), you can fall back to the systemd-networkd implementation: systemd.network.

It’s quite thorough in mapping pretty much all networking features of the kernel, so you should have no problems implementing practically any networking config with it. IME using it is also a bit easier because you can actually use other forums/search engines to get help with systemd-networkd, unlike the NixOS networking module.

Aiui, though I might misremember, NixOS 23.05 will also migrate the current script-based networking implementation to the systemd-networkd based one.

markvd · April 15, 2023, 5:30pm

I guess my bug report was a bit too long. I had an episode of late-night bugreporteritis. thanks for responding.

I don’t know how to test a modified version of this file in my local flake config. I’m using @Misterio’s nix-starter-config (standard). Mistorio, maybe you can let me know how to do this?

One thing that imo does have to be added here, is that the broadcast address has to be properly set. As in adding brd + before dev on line 207 (and 210) will do that.

Secondly: I want to be able to postfix preferred_lft 0 to any (secondary) IP address when it gets added.

Third - I don’t know how to fix this: before an IPv6 route is added, the script must wait for dad (duplicate address detection) to finish before adding a route. Workaround: disable dad. Better: wait until the address does not show “tentative” anymore as described in this systemd bug report.

I can also test systemd.network. Haven’t looked into that yet. Will try. Thanks for that tip (and the localCommands one).

TLATER · April 15, 2023, 5:42pm

You can substitute your own copy of the module: NixOS 22.11 manual | Nix & NixOS

I.e., just copy the file from upstream, modify it, sub it in using that. Or do something nicer with a git clone

markvd · April 15, 2023, 5:58pm

Thank you! And thanks for being patient with me.

I was just reading up on the Wiki about systemd-networkd. I’ll go take that route first. It looks like I can set preferred_lft to 0 (systemd networking supports it anyway).

And also, since you’ve hinted at 23.05 moving to this networking setup, it’s probably better to try that out first than to shoehorn in my changes to something that will become deprecated sooner or later.

I’ll give a status-update on my progress in this thread once I’ve configured it properly.

markvd · April 17, 2023, 11:00am

Alright, it seems like systemd-networkd kinda does what I need, in that I’m able to setup networking properly! It makes no sense to do this with networking.* if we’re going to move to systemd based networking. The systemd config is somewhat convoluted, but works fine. A little example:

    "20-lan" = {
        matchConfig.Name = "eth1";
        DHCP = "no";
        networkConfiguration = {
            IPv4ProxyARP = true;
            IPv6ProxyNDP = true;
            IPv6ProxyNDPAddress = [
                "2001:db8:100:1001::2",
                "2001:db8:100:1002::2"
            ];
        };
        address = [
            "192.0.2.1/24",
            "2001:db8:100:1000::1/60"
        ];
        routes = [
            { routeConfig = { Destination = "192.0.3.1/24"; PreferredSource = "192.0.2.1"; }; }
            { routeConfig = { Destination = "2001:db8:100:1001::/60"; PreferredSource = "2001:db8:100:1000:1"; }; }
        ];
        linkConfig = {
            RequiredForOnline = "routable";
            MTUBytes = "9000";
        };
    };

I had to add these lines to ensure that openssh starts properly afterwards:

systemd.services.sshd.wants = [ "network-online.target" ];
systemd.services.sshd.after = [ "network-online.target" ];

Much thanks for the help. I can close my bug report since it’s no longer needed.

TLATER · April 17, 2023, 11:10am

Note that the migration isn’t really intended to switch to systemd.network as you use it, it’s just that the networking.* options will be converted to systemd.network ones instead of the shell scripts that currently exist. networking.* does have its place, it’s an abstraction that makes things:

Super easy plug-and-play for people who don’t know their networking that well (such as yours truly).
Agnostic to future changes in how Linux network management is done; just in case we migrate away from systemd-networkd again one day.

That said, the NixOS networking module can’t realistically compete with the current level of maintenance of systemd-networkd. It will probably be a more usable interface to network configuration for the foreseeable feature, it’s just a bit more verbose. Once you have an even slightly advanced use case I don’t really see a reason not to use systemd-networkd directly.