Merge pull request #189176 from maifel-maifel/mr-wireguard-fwmark-mtu

2024-11-23 07:23:20 +00:00 · 2022-09-29 00:04:33 +02:00 · 2022-09-29 00:04:33 +02:00 · f88b09a712
commit f88b09a712
parent fc77dfcdeb 0c704db698
3 changed files with 37 additions and 0 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -647,6 +647,12 @@
          guide</link> on how to migrate your Neo4j instance.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The <literal>networking.wireguard</literal> module now can set
+          the mtu on interfaces and tag its packets with an fwmark.
+        </para>
+      </listitem>
      <listitem>
        <para>
          The <literal>services.matrix-synapse</literal> systemd unit
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -217,6 +217,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).

 - Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.

+- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
+
 - The `services.matrix-synapse` systemd unit has been hardened.

 - Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@ -137,6 +137,33 @@ let
        See [documentation](https://www.wireguard.com/netns/).
        '';
      };
+
+      fwMark = mkOption {
+        default = null;
+        type = with types; nullOr str;
+        example = "0x6e6978";
+        description = lib.mdDoc ''
+          Mark all wireguard packets originating from
+          this interface with the given firewall mark. The firewall mark can be
+          used in firewalls or policy routing to filter the wireguard packets.
+          This can be useful for setup where all traffic goes through the
+          wireguard tunnel, because the wireguard packets need to be routed
+          differently.
+        '';
+      };
+
+      mtu = mkOption {
+        default = null;
+        type = with types; nullOr int;
+        example = 1280;
+        description = lib.mdDoc ''
+          Set the maximum transmission unit in bytes for the wireguard
+          interface. Beware that the wireguard packets have a header that may
+          add up to 80 bytes to the mtu. By default, the MTU is (1500 - 80) =
+          1420. However, if the MTU of the upstream network is lower, the MTU
+          of the wireguard network has to be adjusted as well.
+        '';
+      };
    };

  };
@ -398,6 +425,7 @@ let

          ${ipPreMove} link add dev "${name}" type wireguard
          ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''}
+          ${optionalString (values.mtu != null) ''${ipPreMove} link set "${name}" mtu ${toString values.mtu}''}

          ${concatMapStringsSep "\n" (ip:
            ''${ipPostMove} address add "${ip}" dev "${name}"''
@ -406,6 +434,7 @@ let
          ${concatStringsSep " " (
            [ ''${wg} set "${name}" private-key "${privKey}"'' ]
            ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''
+            ++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"''
          )}

          ${ipPostMove} link set up dev "${name}"