nixos/network-interfaces: always apply privacy extensions

Fixes #56306
2024-12-03 11:02:05 +00:00 · 2019-04-11 19:41:47 +02:00 · 2019-04-11 19:41:47 +02:00 · 26317b02ae
parent fef728b6ea
commit 26317b02ae
2 changed files with 18 additions and 5 deletions
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@ -1087,7 +1087,14 @@ in

    virtualisation.vswitch = mkIf (cfg.vswitches != { }) { enable = true; };

-    services.udev.packages = mkIf (cfg.wlanInterfaces != {}) [
+    services.udev.packages =  [
+      (pkgs.writeTextFile rec {
+        name = "99-ipv6-privacy-extensions.rules";
+        destination = "/etc/udev/rules.d/99-${name}";
+        text = ''
+          ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.%k.use_tempaddr=2"
+        '';
+      }) ] ++ lib.optional (cfg.wlanInterfaces != {})
      (pkgs.writeTextFile {
        name = "99-zzz-40-wlanInterfaces.rules";
        destination = "/etc/udev/rules.d/99-zzz-40-wlanInterfaces.rules";
@ -1161,8 +1168,7 @@ in
            # Generate the same systemd events for both 'add' and 'move' udev events.
            ACTION=="move", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", NAME=="${device}", ${systemdAttrs curInterface._iName}
          '');
-      }) ];
-
+      });
  };

 }
--- a/nixos/tests/ipv6.nix
+++ b/nixos/tests/ipv6.nix
@ -1,14 +1,16 @@
 # Test of IPv6 functionality in NixOS, including whether router
 # solicication/advertisement using radvd works.

-import ./make-test.nix ({ pkgs, ...} : {
+import ./make-test.nix ({ pkgs, lib, ...} : {
  name = "ipv6";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ eelco ];
  };

  nodes =
-    { client = { ... }: { };
+    # Remove the interface configuration provided by makeTest so that the
+    # interfaces are all configured implicitly
+    { client = { ... }: { networking.interfaces = lib.mkForce {}; };

      server =
        { ... }:
@ -73,6 +75,11 @@ import ./make-test.nix ({ pkgs, ...} : {
          $client->succeed("curl --fail -g http://[$serverIp]");
          $client->fail("curl --fail -g http://[$clientIp]");
      };
+      subtest "privacy extensions", sub {
+          my $ip = waitForAddress $client, "eth1", "global temporary";
+          # Default route should have "src <temporary address>" in it
+          $client->succeed("ip r g ::2 | grep $ip");
+      };

      # TODO: test reachability of a machine on another network.
    '';