diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index a77dbc609f46..44550b2f09cd 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -235,6 +235,21 @@ let (assertValueOneOf "AutoJoin" boolValues) ]; + checkRoutingPolicyRule = checkUnitConfig "RoutingPolicyRule" [ + (assertOnlyFields [ + "TypeOfService" "From" "To" "FirewallMark" "Table" "Priority" + "IncomingInterface" "OutgoingInterface" "SourcePort" "DestinationPort" + "IPProtocol" "InvertRule" "Family" + ]) + (assertRange "TypeOfService" 0 255) + (assertRange "FirewallMark" 1 4294967295) + (assertInt "Priority") + (assertPort "SourcePort") + (assertPort "DestinationPort") + (assertValueOneOf "InvertRule" boolValues) + (assertValueOneOf "Family" ["ipv4" "ipv6" "both"]) + ]; + checkRoute = checkUnitConfig "Route" [ (assertOnlyFields [ "Gateway" "GatewayOnLink" "Destination" "Source" "Metric" @@ -535,6 +550,22 @@ let }; }; + routingPolicyRulesOptions = { + options = { + routingPolicyRuleConfig = mkOption { + default = { }; + example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; } ;}; + type = types.addCheck (types.attrsOf unitOption) checkRoutingPolicyRule; + description = '' + Each attribute in this set specifies an option in the + [RoutingPolicyRule] section of the unit. See + systemd.network + 5 for details. + ''; + }; + }; + }; + routeOptions = { options = { routeConfig = mkOption { @@ -772,6 +803,16 @@ let ''; }; + routingPolicyRules = mkOption { + default = [ ]; + type = with types; listOf (submodule routingPolicyRulesOptions); + description = '' + A list of routing policy rules sections to be added to the unit. See + systemd.network + 5 for details. + ''; + }; + routes = mkOption { default = [ ]; type = with types; listOf (submodule routeOptions); @@ -928,6 +969,11 @@ let [Route] ${attrsToSection x.routeConfig} + '')} + ${flip concatMapStrings def.routingPolicyRules (x: '' + [RoutingPolicyRule] + ${attrsToSection x.routingPolicyRuleConfig} + '')} ${def.extraConfig} ''; diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix index fd1a5b9f62c5..a33602915867 100644 --- a/nixos/modules/system/boot/systemd-lib.nix +++ b/nixos/modules/system/boot/systemd-lib.nix @@ -59,6 +59,11 @@ in rec { optional (attr ? ${name} && ! isMacAddress attr.${name}) "Systemd ${group} field `${name}' must be a valid mac address."; + isPort = i: i >= 0 && i <= 65535; + + assertPort = name: group: attr: + optional (attr ? ${name} && ! isPort attr.${name}) + "Error on the systemd ${group} field `${name}': ${attr.name} is not a valid port number."; assertValueOneOf = name: values: group: attr: optional (attr ? ${name} && !elem attr.${name} values)