From 12c27384df67f9176c3cbda374c56574cb0298b7 Mon Sep 17 00:00:00 2001 From: chayleaf Date: Wed, 13 Sep 2023 16:44:50 +0700 Subject: [PATCH] router: small routing tables tweak TODO: find a way to filter by SNI so I don't have to keep this ugly hack --- system/hosts/nixserver/keycloak.nix | 2 +- system/hosts/router/default.nix | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/system/hosts/nixserver/keycloak.nix b/system/hosts/nixserver/keycloak.nix index 43d12f5..1470b55 100644 --- a/system/hosts/nixserver/keycloak.nix +++ b/system/hosts/nixserver/keycloak.nix @@ -38,7 +38,7 @@ in { # See also https://meta.akkoma.dev/t/390 # https:///oauth/keycloak?scope=openid+profile - # ...but this doesnt even work, the callback simply gets ignored + # ...but this doesnt even work, the callback fails with %OAuth2.Error{reason: :invalid_request} # oh well services.akkoma.config = { ":ueberauth" = let diff --git a/system/hosts/router/default.nix b/system/hosts/router/default.nix index 222becb..300bc70 100644 --- a/system/hosts/router/default.nix +++ b/system/hosts/router/default.nix @@ -545,11 +545,12 @@ in { [(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)] [(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)] [(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)] - # force vpn to/from force_vpn4/force_vpn6 even if we previously decided to unvpn this connection - [(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)] - [(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)] - [(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)] - [(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)] + # ...force vpn to/from force_vpn4/force_vpn6 + # (temporarily disable this because it breaks codeforces.org) + # [(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)] + # [(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)] + # [(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)] + # [(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)] # block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain # only do this for br0 since traffic from other interfaces isn't forwarded to wan [(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]