nixos/tayga: add option to allow toggling WKPF strict compliance

lukegb · flokli · commit 4548324aae56 · 2025-08-10T17:00:13.000+02:00
The RFC requires that we don't allow access to non-global v4 addresses
using the well-known 64:ff9b:: prefix, but there are some deployments
where it's convenient to permit this.

To make this work in tests, disable wkpf-strictness via the config
option introduced in bc18503e2ff1ee48ac472a67ba982dae76a5c2d3.

Tayga added 100.64.0.0 to the set of WKPF in
4dff17ef61821f5bc1996ce687a3dc317fd4fa50.
diff --git a/nixos/modules/services/networking/tayga.nix b/nixos/modules/services/networking/tayga.nix
@@ -27,6 +27,8 @@ let
     ${optionalString ((builtins.length cfg.log) > 0) ''
       log ${concatStringsSep " " cfg.log}
     ''}
+
+    wkpf-strict ${if cfg.wkpfStrict then "yes" else "no"}
   '';
 
   addrOpts =
@@ -145,6 +147,12 @@ in
           [ "drop" "reject" "icmp" "self" ]
         '';
       };
+
+      wkpfStrict = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix. Must be enabled for RFC 6052 compatibility.";
+      };
     };
   };
 
diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix
@@ -31,11 +31,10 @@
   };
 
   nodes = {
-    # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1
-    # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the
-    # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of
-    # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from
-    # RFC 6589 (Carrier Grade NAT) is used here.
+    # The server is configured with static IPv4 addresses. We have to disable the
+    # well-known prefix restrictions (as required by RFC 6052 Section 3.1) because
+    # we're using private space (TAYGA also considers documentation space non-global,
+    # unfortunately).
     # To reach the IPv4 address pool of the NAT64 gateway, there is a static
     # route configured. In normal cases, where the router would also source NAT
     # the pool addresses to one IPv4 addresses, this would not be needed.
@@ -145,6 +144,7 @@
           "icmp"
           "self"
         ];
+        wkpfStrict = false;
       };
       environment.systemPackages = [ pkgs.tcpdump ];
     };
@@ -217,6 +217,7 @@
           "icmp"
           "self"
         ];
+        wkpfStrict = false;
       };
       environment.systemPackages = [ pkgs.tcpdump ];
     };
