tayga: 0.9.2 -> 0.9.5 (NixOS#432528)

lukegb · web-flow · commit 7f552ff771cf · 2025-08-10T17:50:45.000+02:00
diff --git a/nixos/modules/services/networking/tayga.nix b/nixos/modules/services/networking/tayga.nix
@@ -23,6 +23,12 @@ let
     data-dir ${cfg.dataDir}
 
     ${concatStringsSep "\n" (mapAttrsToList (ipv4: ipv6: "map " + ipv4 + " " + ipv6) cfg.mappings)}
+
+    ${optionalString ((builtins.length cfg.log) > 0) ''
+      log ${concatStringsSep " " cfg.log}
+    ''}
+
+    wkpf-strict ${if cfg.wkpfStrict then "yes" else "no"}
   '';
 
   addrOpts =
@@ -132,6 +138,21 @@ in
           }
         '';
       };
+
+      log = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "Packet errors to log (drop, reject, icmp, self)";
+        example = literalExpression ''
+          [ "drop" "reject" "icmp" "self" ]
+        '';
+      };
+
+      wkpfStrict = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix. Must be enabled for RFC 6052 compatibility.";
+      };
     };
   };
 
@@ -171,13 +192,16 @@ in
       };
     };
 
+    environment.etc."tayga.conf".source = configFile;
+
     systemd.services.tayga = {
       description = "Stateless NAT64 implementation";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
 
+      reloadTriggers = [ configFile ];
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config ${configFile}";
+        ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config /etc/tayga.conf";
         ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
         Restart = "always";
 
diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix
@@ -31,11 +31,10 @@
   };
 
   nodes = {
-    # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1
-    # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the
-    # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of
-    # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from
-    # RFC 6589 (Carrier Grade NAT) is used here.
+    # The server is configured with static IPv4 addresses. We have to disable the
+    # well-known prefix restrictions (as required by RFC 6052 Section 3.1) because
+    # we're using private space (TAYGA also considers documentation space non-global,
+    # unfortunately).
     # To reach the IPv4 address pool of the NAT64 gateway, there is a static
     # route configured. In normal cases, where the router would also source NAT
     # the pool addresses to one IPv4 addresses, this would not be needed.
@@ -63,6 +62,7 @@
         };
       };
       programs.mtr.enable = true;
+      environment.systemPackages = [ pkgs.tcpdump ];
     };
 
     # The router is configured with static IPv4 addresses towards the server
@@ -87,6 +87,7 @@
       ];
 
       networking = {
+        hostName = "router-systemd";
         useDHCP = false;
         useNetworkd = true;
         firewall.enable = false;
@@ -137,7 +138,15 @@
         mappings = {
           "192.0.2.42" = "2001:db8::2";
         };
+        log = [
+          "drop"
+          "reject"
+          "icmp"
+          "self"
+        ];
+        wkpfStrict = false;
       };
+      environment.systemPackages = [ pkgs.tcpdump ];
     };
 
     router_nixos = {
@@ -152,6 +161,7 @@
       ];
 
       networking = {
+        hostName = "router-nixos";
         useDHCP = false;
         firewall.enable = false;
         interfaces.eth1 = lib.mkForce {
@@ -201,7 +211,15 @@
         mappings = {
           "192.0.2.42" = "2001:db8::2";
         };
+        log = [
+          "drop"
+          "reject"
+          "icmp"
+          "self"
+        ];
+        wkpfStrict = false;
       };
+      environment.systemPackages = [ pkgs.tcpdump ];
     };
 
     # The client is configured with static IPv6 addresses. It has also a static
@@ -233,6 +251,7 @@
         };
       };
       programs.mtr.enable = true;
+      environment.systemPackages = [ pkgs.tcpdump ];
     };
   };
 
diff --git a/pkgs/by-name/ta/tayga/package.nix b/pkgs/by-name/ta/tayga/package.nix
@@ -1,23 +1,32 @@
 {
   lib,
   stdenv,
-  fetchurl,
+  fetchFromGitHub,
   nixosTests,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
-  version = "0.9.2";
+  version = "0.9.5";
   pname = "tayga";
 
-  src = fetchurl {
-    url = "http://www.litech.org/tayga/tayga-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-Kx95J6nS3P+Qla/zwnGSSwUsz9L6ypWIsndDGkTwAJw=";
+  src = fetchFromGitHub {
+    owner = "apalrd";
+    repo = "tayga";
+    tag = finalAttrs.version;
+    hash = "sha256-xOm4fetFq2UGuhOojrT8WOcX78c6MLTMVbDv+O62x2E=";
   };
 
-  env.NIX_CFLAGS_COMPILE = toString [
-    "-Wno-address-of-packed-member"
-    "-Wno-implicit-function-declaration"
-  ];
+  preBuild = ''
+    echo "#define TAYGA_VERSION \"${finalAttrs.version}\"" > version.h
+  '';
+
+  installPhase = ''
+    install -Dm755 tayga $out/bin/tayga
+    install -D tayga.conf.5 $out/share/man/man5/tayga.conf.5
+    install -D tayga.8 $out/share/man/man8/tayga.8
+    cp -R docs $out/share/
+    cp tayga.conf.example $out/share/docs/
+  '';
 
   passthru.tests.tayga = nixosTests.tayga;
 
@@ -30,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
       It is intended to provide production-quality NAT64 service
       for networks where dedicated NAT64 hardware would be overkill.
     '';
-    homepage = "http://www.litech.org/tayga";
+    homepage = "https://github.com/apalrd/tayga";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ _0x4A6F ];
     platforms = platforms.linux;
