diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix
index a77dbc609f46..44550b2f09cd 100644
--- a/nixos/modules/system/boot/networkd.nix
+++ b/nixos/modules/system/boot/networkd.nix
@@ -235,6 +235,21 @@ let
(assertValueOneOf "AutoJoin" boolValues)
];
+ checkRoutingPolicyRule = checkUnitConfig "RoutingPolicyRule" [
+ (assertOnlyFields [
+ "TypeOfService" "From" "To" "FirewallMark" "Table" "Priority"
+ "IncomingInterface" "OutgoingInterface" "SourcePort" "DestinationPort"
+ "IPProtocol" "InvertRule" "Family"
+ ])
+ (assertRange "TypeOfService" 0 255)
+ (assertRange "FirewallMark" 1 4294967295)
+ (assertInt "Priority")
+ (assertPort "SourcePort")
+ (assertPort "DestinationPort")
+ (assertValueOneOf "InvertRule" boolValues)
+ (assertValueOneOf "Family" ["ipv4" "ipv6" "both"])
+ ];
+
checkRoute = checkUnitConfig "Route" [
(assertOnlyFields [
"Gateway" "GatewayOnLink" "Destination" "Source" "Metric"
@@ -535,6 +550,22 @@ let
};
};
+ routingPolicyRulesOptions = {
+ options = {
+ routingPolicyRuleConfig = mkOption {
+ default = { };
+ example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; } ;};
+ type = types.addCheck (types.attrsOf unitOption) checkRoutingPolicyRule;
+ description = ''
+ Each attribute in this set specifies an option in the
+ [RoutingPolicyRule] section of the unit. See
+ systemd.network
+ 5 for details.
+ '';
+ };
+ };
+ };
+
routeOptions = {
options = {
routeConfig = mkOption {
@@ -772,6 +803,16 @@ let
'';
};
+ routingPolicyRules = mkOption {
+ default = [ ];
+ type = with types; listOf (submodule routingPolicyRulesOptions);
+ description = ''
+ A list of routing policy rules sections to be added to the unit. See
+ systemd.network
+ 5 for details.
+ '';
+ };
+
routes = mkOption {
default = [ ];
type = with types; listOf (submodule routeOptions);
@@ -928,6 +969,11 @@ let
[Route]
${attrsToSection x.routeConfig}
+ '')}
+ ${flip concatMapStrings def.routingPolicyRules (x: ''
+ [RoutingPolicyRule]
+ ${attrsToSection x.routingPolicyRuleConfig}
+
'')}
${def.extraConfig}
'';
diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix
index fd1a5b9f62c5..a33602915867 100644
--- a/nixos/modules/system/boot/systemd-lib.nix
+++ b/nixos/modules/system/boot/systemd-lib.nix
@@ -59,6 +59,11 @@ in rec {
optional (attr ? ${name} && ! isMacAddress attr.${name})
"Systemd ${group} field `${name}' must be a valid mac address.";
+ isPort = i: i >= 0 && i <= 65535;
+
+ assertPort = name: group: attr:
+ optional (attr ? ${name} && ! isPort attr.${name})
+ "Error on the systemd ${group} field `${name}': ${attr.name} is not a valid port number.";
assertValueOneOf = name: values: group: attr:
optional (attr ? ${name} && !elem attr.${name} values)