Merge pull request #189176 from maifel-maifel/mr-wireguard-fwmark-mtu
This commit is contained in:
commit
f88b09a712
|
@ -647,6 +647,12 @@
|
||||||
guide</link> on how to migrate your Neo4j instance.
|
guide</link> on how to migrate your Neo4j instance.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <literal>networking.wireguard</literal> module now can set
|
||||||
|
the mtu on interfaces and tag its packets with an fwmark.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The <literal>services.matrix-synapse</literal> systemd unit
|
The <literal>services.matrix-synapse</literal> systemd unit
|
||||||
|
|
|
@ -217,6 +217,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
|
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
|
||||||
|
|
||||||
|
- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
|
||||||
|
|
||||||
- The `services.matrix-synapse` systemd unit has been hardened.
|
- The `services.matrix-synapse` systemd unit has been hardened.
|
||||||
|
|
||||||
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
|
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
|
||||||
|
|
|
@ -137,6 +137,33 @@ let
|
||||||
See [documentation](https://www.wireguard.com/netns/).
|
See [documentation](https://www.wireguard.com/netns/).
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fwMark = mkOption {
|
||||||
|
default = null;
|
||||||
|
type = with types; nullOr str;
|
||||||
|
example = "0x6e6978";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Mark all wireguard packets originating from
|
||||||
|
this interface with the given firewall mark. The firewall mark can be
|
||||||
|
used in firewalls or policy routing to filter the wireguard packets.
|
||||||
|
This can be useful for setup where all traffic goes through the
|
||||||
|
wireguard tunnel, because the wireguard packets need to be routed
|
||||||
|
differently.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
mtu = mkOption {
|
||||||
|
default = null;
|
||||||
|
type = with types; nullOr int;
|
||||||
|
example = 1280;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Set the maximum transmission unit in bytes for the wireguard
|
||||||
|
interface. Beware that the wireguard packets have a header that may
|
||||||
|
add up to 80 bytes to the mtu. By default, the MTU is (1500 - 80) =
|
||||||
|
1420. However, if the MTU of the upstream network is lower, the MTU
|
||||||
|
of the wireguard network has to be adjusted as well.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -398,6 +425,7 @@ let
|
||||||
|
|
||||||
${ipPreMove} link add dev "${name}" type wireguard
|
${ipPreMove} link add dev "${name}" type wireguard
|
||||||
${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''}
|
${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''}
|
||||||
|
${optionalString (values.mtu != null) ''${ipPreMove} link set "${name}" mtu ${toString values.mtu}''}
|
||||||
|
|
||||||
${concatMapStringsSep "\n" (ip:
|
${concatMapStringsSep "\n" (ip:
|
||||||
''${ipPostMove} address add "${ip}" dev "${name}"''
|
''${ipPostMove} address add "${ip}" dev "${name}"''
|
||||||
|
@ -406,6 +434,7 @@ let
|
||||||
${concatStringsSep " " (
|
${concatStringsSep " " (
|
||||||
[ ''${wg} set "${name}" private-key "${privKey}"'' ]
|
[ ''${wg} set "${name}" private-key "${privKey}"'' ]
|
||||||
++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''
|
++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''
|
||||||
|
++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"''
|
||||||
)}
|
)}
|
||||||
|
|
||||||
${ipPostMove} link set up dev "${name}"
|
${ipPostMove} link set up dev "${name}"
|
||||||
|
|
Loading…
Reference in a new issue