IfState: Difference between revisions

(3 intermediate revisions by the same user not shown)

Line 1:

[https://ifstate.net/2.0/ IfState] is a python 3 utility designed for declarative management of Linux network interfaces. It acts as a frontend to the kernel's Netlink interface, using the <code>pyroute2</code> library to configure network settings such as IP addresses, bridges, traffic control, and WireGuard in an idempotent manner—much like an <code>iproute2</code>/<code>ethtool</code>/<code>tc</code>/<code>wg</code> wrapper.

It ~~will be probably be~~ available ~~with~~ NixOS 25.11 (see https://github.com/NixOS/nixpkgs/pull/431047).

It is available since NixOS 25.11 (see https://github.com/NixOS/nixpkgs/pull/431047).

=== Examples ===

You can find several examples on the [https://ifstate.net/2.0/examples/ IfState website]. ~~Due to~~ the ~~fact that these~~ are ~~yaml examples, I decided to provide some nix examples~~ here ~~too:<syntaxhighlight lang="nixos">{~~

You can find several examples on the [https://ifstate.net/2.0/examples/ IfState website]. Some include NixOS configuration instructions, while the more complex examples are covered in detail here.

~~networking.ifstate = {~~

~~enable = true;~~

~~settings = {~~

~~interfaces.enp3s0 = {~~

~~addresses = [~~

~~"192.0.2.10/24"~~

~~"2001:db8:dead:c0de::10/64"~~

];

~~link = {~~

~~state = "up";~~

~~kind = "physical";~~

};

~~identify.perm_address = "00:00:5e:00:53:00";~~

};

~~routing.routes = [~~

{

~~to = "0.0.0.0/0";~~

~~via = "192.0.2~~.~~1";~~

}

{

~~to = "::/0";~~

~~dev = "enp3s0";~~

~~via = "fe80::1";~~

}

];

};

~~}</syntaxhighlight>~~

==== Network Namespaces (netns) ====

Line 93:

Line 65:

To achieve this, you might want to isolate the provider network from your Global Routing Table (GRT) and bind the WireGuard endpoints. The <code>IfState</code> tool offers a link configuration option called <code>bind_netns</code>, which can be used with tunnel links (such as WireGuard, GRE, SIT, etc.) to implement this separation.

[[File:Ifstate-vpn-gw.png|center|frameless]]

'''Important Note:''' If <code>enp0s3</code> is your provider interface, this configuration will move it into an external network namespace that contains nothing except the bound WireGuard endpoint. As a result, you won’t be able to access systemd services like your SSH server without an active WireGuard connection. Plan accordingly to avoid losing access to critical services.<syntaxhighlight lang="nixos">

Line 190:

Line 163:

</syntaxhighlight>

=== Known Issues ===

@@ Line 1: / Line 1: @@
 [https://ifstate.net/2.0/ IfState] is a python 3 utility designed for declarative management of Linux network interfaces. It acts as a frontend to the kernel's Netlink interface, using the <code>pyroute2</code> library to configure network settings such as IP addresses, bridges, traffic control, and WireGuard in an idempotent manner—much like an <code>iproute2</code>/<code>ethtool</code>/<code>tc</code>/<code>wg</code> wrapper.
-It will be probably be available with NixOS 25.11 (see https://github.com/NixOS/nixpkgs/pull/431047).
+It is available since NixOS 25.11 (see https://github.com/NixOS/nixpkgs/pull/431047).
 === Examples ===
-You can find several examples on the [https://ifstate.net/2.0/examples/ IfState website]. Due to the fact that these are yaml examples, I decided to provide some nix examples here too:<syntaxhighlight lang="nixos">{
+You can find several examples on the [https://ifstate.net/2.0/examples/ IfState website]. Some include NixOS configuration instructions, while the more complex examples are covered in detail here.
-  networking.ifstate = {
-    enable = true;
-    settings = {
-      interfaces.enp3s0 = {
-        addresses = [
-          "192.0.2.10/24"
-          "2001:db8:dead:c0de::10/64"
-        ];
-        link = {
-          state = "up";
-          kind = "physical";
-        };
-        identify.perm_address = "00:00:5e:00:53:00";
-      };
-      routing.routes = [
-        {
-          to = "0.0.0.0/0";
-          via = "192.0.2.1";
-        }
-        {
-          to = "::/0";
-          dev = "enp3s0";
-          via = "fe80::1";
-        }
-      ];
-    };
-  };
-}</syntaxhighlight>
 ==== Network Namespaces (netns) ====
@@ Line 93: / Line 65: @@
 To achieve this, you might want to isolate the provider network from your Global Routing Table (GRT) and bind the WireGuard endpoints. The <code>IfState</code> tool offers a link configuration option called <code>bind_netns</code>, which can be used with tunnel links (such as WireGuard, GRE, SIT, etc.) to implement this separation.
+[[File:Ifstate-vpn-gw.png|center|frameless]]
 '''Important Note:''' If <code>enp0s3</code> is your provider interface, this configuration will move it into an external network namespace that contains nothing except the bound WireGuard endpoint. As a result, you won’t be able to access systemd services like your SSH server without an active WireGuard connection. Plan accordingly to avoid losing access to critical services.<syntaxhighlight lang="nixos">
@@ Line 190: / Line 163: @@
 </syntaxhighlight>
 === Known Issues ===