[READY] - nixos-modules.routers.border: heTunnelEnable bool and passive ifaces

[sarcasticadmin]

Description of PR

Fixes: #1094

Mimic the existing firewall rules we have in dev environment in fmt2:

scale-network/nix/nixos-configurations/router-scale-br-fmt2/default.nix

Lines 50 to 106 in f6e1e95

	networking.nftables.ruleset = ''
	table inet filter {
	chain INPUT {
	type filter hook input priority filter;
	policy drop;
	# Show internal traffic (To the router only via the management net)
	iifname { bridge103 } accept;
	# Allow traffic from Owen's network
	ip6 saddr 2620:0:930::/48 accept;
	# Existing Flows
	ct state established,related accept;
	# Drop traffic to the show IPv6 network
	ip6 daddr 2001:470:f026::/48 counter drop;
	# PING
	meta l4proto { icmp, ipv6-icmp } accept;
	log prefix "NFINP-DROP: " accept;
	}
	chain FORWARD {
	type filter hook forward priority filter;
	policy drop;
	# Show internal traffic
	iifname { bridge100, bridge101, bridge102, bridge103, bridge104, bridge105, bridge107, bridge110 } oifname { bridge100, bridge101, bridge102, bridge103, bridge104, bridge105, bridge107, bridge110} counter accept
	iifname { bridge100, bridge101, bridge102, bridge103, bridge104, bridge105, bridge107, bridge110 } oifname copper0 counter accept
	# Existing Flows
	ct state established,related accept;
	# Owen's Network
	ip6 saddr 2620:0:930::/48 accept;
	# PING
	meta l4proto { icmp, ipv6-icmp } accept;
	# Drop inbound IPv6 traffic not matched above
	ip6 daddr 2001:470:f026::/48 counter drop;
	log prefix "NFFWD-DROP: " accept;
	}
	chain OUTPUT {
	type filter hook output priority filter;
	accept;
	}
	}
	table ip nat {
	chain PREROUTING {
	type nat hook prerouting priority dstnat; policy accept;
	}
	chain INPUT {
	type nat hook input priority 100; policy accept;
	}
	chain OUTPUT {
	type nat hook output priority -100; policy accept;
	}
	chain POSTROUTING {
	type nat hook postrouting priority srcnat; policy accept;
	oifname "copper0" ip daddr 0.0.0.0/0 counter masquerade
	}
	}
	'';

Additionally we include the he tunnel which is also enabled in the offseason on the same router:

scale-network/nix/nixos-configurations/router-scale-br-fmt2/default.nix

Lines 115 to 124 in f6e1e95

	"20-hetunnel" = {
	netdevConfig = {
	Name = "he-tunnel";
	Kind = "sit";
	MTUBytes = 1480;
	};
	tunnelConfig = {
	Local = "192.159.10.47";
	Remote = "66.220.18.42";
	};

Previous Behavior

• HE Tunnel only existed on scale-border-fmt2
• Border firewall was only configured for NAT
• ipv6 interfaces for border were not passive

New Behavior

• Enabling the complete firewall for border
• Add boolean to border module for HE tunnel
• ipv6 passive interfaces for border: WAN, bridge103
• RA config for backdoor0 on all routers

Tests

• Confirmed HE systemd-units between heTunnelEnable toggle:

nix build .#nixosConfigurations.router-conf.config.system.build.toplevel
ls -lah results/etc/systemd/network/*-hetunnel*

• Applied routers configs to border expo and conf bare metal and frr and pings looked good
• Confirmed passive ifaces on border in vtysh: show ip ipv6 opsf6 interaces looking for No Hellos (Passive interface) on WAN and bridge103

[sarcasticadmin]

we didnt want 104 here after all since its actually a broadcast interface after the shuffle in #1108

[sarcasticadmin]

slight deviations from the router-fmt2 config: Including backdoor0 so that interface is still useful

[owendelong]

We might rename the 192.159.10.0/25 interface on FMT2 to backdoor0 to reflect its similar purpose.

[sarcasticadmin]

These bridges were paired down since we dont have as many as we do on router-fmt2 (since its more like a border + expo config)

[MrHamel]

Seems sound to me. Would approve if I could...

[owendelong]

Looks great... Thanks!