gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(nftables): local firewall

Browse source
This commit is contained in:
arcnmx 2024-01-31 13:28:21 -08:00
parent 6dc06a746a
commit a283b4bf9a
9 changed files with 167 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/nftables.nix
View file

@ -2,10 +2,11 @@
let
inherit (lib) types;
inherit (lib.options) mkOption;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrsToList;
inherit (lib.strings) optionalString concatStringsSep concatMapStringsSep;
inherit (lib.lists) optionals;
fwcfg = config.networking.firewall;
cfg = config.networking.nftables;
@ -41,7 +42,7 @@ let
concatStringsSep "\n" (mapAttrsToList (name: ifcfg: concatMapStringsSep "\n" (cond:
mkPorts "${cond} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept"
+ mkPorts "${cond} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept"
) ifcfg.nftables.conditions) fwcfg.interfaces)
) (optionals ifcfg.nftables.enable ifcfg.nftables.conditions)) fwcfg.interfaces)
}
# DHCPv6
@ -86,9 +87,16 @@ let
'';
interfaceModule = { config, name, ... }: {
options = {
nftables.conditions = mkOption {
type = types.listOf types.str;
default = "iifname ${name}";
nftables = {
enable = mkEnableOption "nftables firewall" // {
default =
config.allowedTCPPorts != [ ] || config.allowedTCPPortRanges != [ ]
|| config.allowedUDPPorts != [ ] || config.allowedUDPPortRanges != [ ];
};
conditions = mkOption {
type = types.listOf types.str;
default = "iifname ${name}";
};
};
};
};