nixos/l2mesh: Add option to enable UDP encapsulation
This commit is contained in:
@@ -9,6 +9,7 @@ in
|
||||
vpns = {
|
||||
l2 = {
|
||||
as211024 = {
|
||||
udpEncapsulation = true;
|
||||
vni = 211024;
|
||||
security.enable = true;
|
||||
peers = {
|
||||
|
||||
@@ -135,6 +135,7 @@ let
|
||||
ipv6 = mkBoolOpt' false "Whether this mesh's underlay operates over IPv6.";
|
||||
baseMTU = mkOpt' ints.unsigned 1500 "Base MTU to calculate VXLAN MTU with.";
|
||||
l3Overhead = mkOpt' ints.unsigned 40 "Overhead of L3 header (to calculate MTU).";
|
||||
udpEncapsulation = mkBoolOpt' false "Whether to encapsulate ESP frames in UDP.";
|
||||
firewall = mkBoolOpt' true "Whether to generate firewall rules.";
|
||||
vni = mkOpt' ints.unsigned 1 "VXLAN VNI.";
|
||||
peers = mkOpt' (attrsOf (submodule l2PeerOpts)) { } "Peers.";
|
||||
|
||||
@@ -36,8 +36,8 @@ let
|
||||
espOverhead =
|
||||
if (!mesh.security.enable) then 0
|
||||
else
|
||||
# SPI + seq + IV + pad / header + ICV
|
||||
4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
|
||||
# UDP encap + SPI + seq + IV + pad / header + ICV
|
||||
(if mesh.udpEncapsulation then 8 else 0) + 4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
|
||||
# UDP + VXLAN + Ethernet + L3 (IPv4/IPv6)
|
||||
overhead = espOverhead + 8 + 8 + 14 + mesh.l3Overhead;
|
||||
in
|
||||
@@ -62,7 +62,11 @@ let
|
||||
chain l2mesh-${name} {
|
||||
${optionalString mesh.security.enable ''
|
||||
udp dport isakmp accept
|
||||
meta l4proto esp accept
|
||||
${if mesh.udpEncapsulation then ''
|
||||
udp dport ipsec-nat-t accept
|
||||
'' else ''
|
||||
meta l4proto esp accept
|
||||
''}
|
||||
''}
|
||||
${optionalString (!mesh.security.enable) (vxlanAllow mesh.vni)}
|
||||
return
|
||||
@@ -94,6 +98,7 @@ let
|
||||
esp=${if mesh.security.encrypt then "aes_gcm256" else "null-sha256"}
|
||||
ikev2=yes
|
||||
modecfgpull=no
|
||||
encapsulation=${if mesh.udpEncapsulation then "yes" else "no"}
|
||||
'';
|
||||
})
|
||||
otherPeers);
|
||||
|
||||
Reference in New Issue
Block a user