nixfiles/nixos/modules/firewall.nix

{ lib, options, config, ... }:
let
  inherit (lib) optionalString concatStringsSep concatMapStringsSep optionalAttrs mkIf mkDefault mkMerge mkOverride;
  inherit (lib.my) parseIPPort mkOpt' mkBoolOpt';

  allowICMP = ''
    icmp type {
      destination-unreachable,
      router-solicitation,
      router-advertisement,
      time-exceeded,
      parameter-problem,
      echo-request
    } accept
  '';
  allowICMP6 = ''
    icmpv6 type {
      destination-unreachable,
      packet-too-big,
      time-exceeded,
      parameter-problem,
      mld-listener-query,
      mld-listener-report,
      mld-listener-reduction,
      nd-router-solicit,
      nd-router-advert,
      nd-neighbor-solicit,
      nd-neighbor-advert,
      ind-neighbor-solicit,
      ind-neighbor-advert,
      mld2-listener-report,
      echo-request
    } accept
  '';
  allowUDPTraceroute = ''
    udp dport 33434-33625 accept
  '';

  forwardOpts = with lib.types; {
    options = {
      proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol.";
      port = mkOpt' (either port str) null "Incoming port.";
      dst = mkOpt' str null "Destination (ip:port).";
    };
  };

  cfg = config.my.firewall;
  iptCfg = config.networking.firewall;
in
{
  options.my.firewall = with lib.types; {
    enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";
    trustedInterfaces = options.networking.firewall.trustedInterfaces;
    tcp = {
      allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";
    };
    udp = {
      allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
      allowTraceroute = mkBoolOpt' true "Whethor or not to add a rule to accept UDP traceroute packets.";
    };
    extraRules = mkOpt' lines "" "Arbitrary additional nftables rules.";

    nat = with options.networking.nat; {
      enable = mkBoolOpt' true "Whether to enable IP forwarding and NAT.";
      inherit externalInterface externalIP;
      forwardPorts = mkOpt' (listOf (submodule forwardOpts)) [ ] "List of port forwards.";
    };
  };

  config = mkIf cfg.enable (mkMerge [
    {
      networking = {
        firewall.enable = false;
        nftables = {
          enable = true;
          ruleset =
            let
              trusted' = "{ ${concatStringsSep ", " (cfg.trustedInterfaces ++ iptCfg.trustedInterfaces)} }";
              openTCP = cfg.tcp.allowed ++ iptCfg.allowedTCPPorts;
              openUDP = cfg.udp.allowed ++ iptCfg.allowedUDPPorts;
            in
            ''
              table inet filter {
                chain wan-tcp {
                  ${concatMapStringsSep "\n    " (p: "tcp dport ${toString p} accept") openTCP}
                  return
                }
                chain wan-udp {
                  ${concatMapStringsSep "\n    " (p: "udp dport ${toString p} accept") openUDP}
                  return
                }

                chain wan {
                  ${allowICMP}
                  ip protocol igmp accept
                  ${allowICMP6}
                  ${allowUDPTraceroute}

                  tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
                  meta l4proto udp ct state new jump wan-udp

                  return
                }

                chain input {
                  type filter hook input priority 0; policy drop;

                  ct state established,related accept
                  ct state invalid drop

                  iif lo accept
                  ${optionalString (cfg.trustedInterfaces != []) "iifname ${trusted'} accept\n"}
                  jump wan
                }
                chain forward {
                  type filter hook forward priority 0; policy drop;
                  ${optionalString (cfg.trustedInterfaces != []) "\n    iifname ${trusted'} accept\n"}
                  ct state related,established accept

                  ${allowICMP}
                  ${allowICMP6}
                  ${allowUDPTraceroute}
                }
                chain output {
                  type filter hook output priority 0; policy accept;
                }
              }

              table inet nat {
                chain prerouting {
                  type nat hook prerouting priority dstnat;
                }
                chain postrouting {
                  type nat hook postrouting priority srcnat;
                }
              }

              ${cfg.extraRules}
            '';
        };
      };
    }
    (mkIf cfg.nat.enable {
      assertions = [
        {
          assertion = with cfg.nat; (forwardPorts != [ ]) -> (externalInterface != null && externalIP != null);
          message = "my.firewall.nat.forwardPorts requires my.firewall.nat.external{Interface,IP}";
        }
      ];

      # Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix
      boot = {
        kernel.sysctl = {
          "net.ipv4.conf.all.forwarding" = mkOverride 99 true;
          "net.ipv4.conf.default.forwarding" = mkOverride 99 true;
        } // optionalAttrs config.networking.enableIPv6 {
          # Do not prevent IPv6 autoconfiguration.
          # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.
          "net.ipv6.conf.all.accept_ra" = mkOverride 99 2;
          "net.ipv6.conf.default.accept_ra" = mkOverride 99 2;

          # Forward IPv6 packets.
          "net.ipv6.conf.all.forwarding" = mkOverride 99 true;
          "net.ipv6.conf.default.forwarding" = mkOverride 99 true;
        };
      };

      my.firewall.extraRules =
        let
          makeFilter = f:
            let
              ipp = parseIPPort f.dst;
            in
            "ip${optionalString ipp.v6 "6"} daddr ${ipp.ip} ${f.proto} dport ${toString f.port} accept";
          makeForward = f:
            let
              ipp = parseIPPort f.dst;
            in
              "${f.proto} dport ${toString f.port} dnat ip${optionalString ipp.v6 "6"} to ${f.dst}";
        in
        ''
          table inet filter {
            chain filter-port-forwards {
              ${concatMapStringsSep "\n    " makeFilter cfg.nat.forwardPorts}
              return
            }
            chain forward {
              ${optionalString
                (cfg.nat.externalInterface != null)
                "iifname ${cfg.nat.externalInterface} jump filter-port-forwards"}
            }
          }

          table inet nat {
            chain port-forward {
              ${concatMapStringsSep "\n    " makeForward cfg.nat.forwardPorts}
              return
            }
            chain prerouting {
              ${optionalString
                (cfg.nat.externalIP != null)
                "ip daddr ${cfg.nat.externalIP} jump port-forward"}
            }
          }
        '';
    })
  ]);

  meta.buildDocsInSandbox = false;
}
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`{ lib, options, config, ... }:`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`let`
			`inherit (lib) optionalString concatStringsSep concatMapStringsSep optionalAttrs mkIf mkDefault mkMerge mkOverride;`
Add initial installer 2022-02-17 15:47:24 +00:00			`inherit (lib.my) parseIPPort mkOpt' mkBoolOpt';`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`allowICMP = ''`
			`icmp type {`
			`destination-unreachable,`
			`router-solicitation,`
			`router-advertisement,`
			`time-exceeded,`
			`parameter-problem,`
			`echo-request`
			`} accept`
			`'';`
			`allowICMP6 = ''`
			`icmpv6 type {`
			`destination-unreachable,`
			`packet-too-big,`
			`time-exceeded,`
			`parameter-problem,`
			`mld-listener-query,`
			`mld-listener-report,`
			`mld-listener-reduction,`
			`nd-router-solicit,`
			`nd-router-advert,`
			`nd-neighbor-solicit,`
			`nd-neighbor-advert,`
			`ind-neighbor-solicit,`
			`ind-neighbor-advert,`
			`mld2-listener-report,`
			`echo-request`
			`} accept`
			`'';`
			`allowUDPTraceroute = ''`
			`udp dport 33434-33625 accept`
			`'';`

nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`forwardOpts = with lib.types; {`
			`options = {`
			`proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol.";`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`port = mkOpt' (either port str) null "Incoming port.";`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`dst = mkOpt' str null "Destination (ip:port).";`
			`};`
			`};`

Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`cfg = config.my.firewall;`
Implement initial containers module 2022-03-26 14:20:30 +00:00			`iptCfg = config.networking.firewall;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
			`{`
			`options.my.firewall = with lib.types; {`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`trustedInterfaces = options.networking.firewall.trustedInterfaces;`
			`tcp = {`
nixos/modules/firewall: Inherit `networking.firewall.allowed*Ports` 2022-02-17 17:08:25 +00:00			`allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
			`udp = {`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`allowTraceroute = mkBoolOpt' true "Whethor or not to add a rule to accept UDP traceroute packets.";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`extraRules = mkOpt' lines "" "Arbitrary additional nftables rules.";`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`nat = with options.networking.nat; {`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`enable = mkBoolOpt' true "Whether to enable IP forwarding and NAT.";`
nixos/firewall: DNAT by IP instead of incoming interface 2023-04-21 15:44:30 +01:00			`inherit externalInterface externalIP;`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`forwardPorts = mkOpt' (listOf (submodule forwardOpts)) [ ] "List of port forwards.";`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`};`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`config = mkIf cfg.enable (mkMerge [`
			`{`
			`networking = {`
			`firewall.enable = false;`
			`nftables = {`
			`enable = true;`
			`ruleset =`
			`let`
Implement initial containers module 2022-03-26 14:20:30 +00:00			`trusted' = "{ ${concatStringsSep ", " (cfg.trustedInterfaces ++ iptCfg.trustedInterfaces)} }";`
			`openTCP = cfg.tcp.allowed ++ iptCfg.allowedTCPPorts;`
			`openUDP = cfg.udp.allowed ++ iptCfg.allowedUDPPorts;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
			`''`
			`table inet filter {`
			`chain wan-tcp {`
nixos/modules/firewall: Inherit `networking.firewall.allowed*Ports` 2022-02-17 17:08:25 +00:00			`${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP}`
Add initial nginx container 2022-05-31 21:25:51 +01:00			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`chain wan-udp {`
nixos/modules/firewall: Inherit `networking.firewall.allowed*Ports` 2022-02-17 17:08:25 +00:00			`${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP}`
Add initial nginx container 2022-05-31 21:25:51 +01:00			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain wan {`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`${allowICMP}`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`ip protocol igmp accept`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`${allowICMP6}`
			`${allowUDPTraceroute}`

			`tcp flags & (fin\|syn\|rst\|ack) == syn ct state new jump wan-tcp`
			`meta l4proto udp ct state new jump wan-udp`

			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain input {`
			`type filter hook input priority 0; policy drop;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`ct state established,related accept`
			`ct state invalid drop`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`iif lo accept`
			`${optionalString (cfg.trustedInterfaces != []) "iifname ${trusted'} accept\n"}`
			`jump wan`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain forward {`
			`type filter hook forward priority 0; policy drop;`
			`${optionalString (cfg.trustedInterfaces != []) "\n iifname ${trusted'} accept\n"}`
			`ct state related,established accept`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00
			`${allowICMP}`
			`${allowICMP6}`
			`${allowUDPTraceroute}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`table inet nat {`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain prerouting {`
nixos: Working ACME certs 2022-06-06 00:18:24 +01:00			`type nat hook prerouting priority dstnat;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`chain postrouting {`
nixos: Working ACME certs 2022-06-06 00:18:24 +01:00			`type nat hook postrouting priority srcnat;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`${cfg.extraRules}`
			`'';`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`};`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
			`}`
			`(mkIf cfg.nat.enable {`
			`assertions = [`
			`{`
nixos/firewall: DNAT by IP instead of incoming interface 2023-04-21 15:44:30 +01:00			`assertion = with cfg.nat; (forwardPorts != [ ]) -> (externalInterface != null && externalIP != null);`
			`message = "my.firewall.nat.forwardPorts requires my.firewall.nat.external{Interface,IP}";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`];`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`# Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix`
			`boot = {`
			`kernel.sysctl = {`
			`"net.ipv4.conf.all.forwarding" = mkOverride 99 true;`
			`"net.ipv4.conf.default.forwarding" = mkOverride 99 true;`
			`} // optionalAttrs config.networking.enableIPv6 {`
			`# Do not prevent IPv6 autoconfiguration.`
			`# See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.`
			`"net.ipv6.conf.all.accept_ra" = mkOverride 99 2;`
			`"net.ipv6.conf.default.accept_ra" = mkOverride 99 2;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`# Forward IPv6 packets.`
			`"net.ipv6.conf.all.forwarding" = mkOverride 99 true;`
			`"net.ipv6.conf.default.forwarding" = mkOverride 99 true;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`};`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`my.firewall.extraRules =`
			`let`
			`makeFilter = f:`
			`let`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`ipp = parseIPPort f.dst;`
			`in`
			`"ip${optionalString ipp.v6 "6"} daddr ${ipp.ip} ${f.proto} dport ${toString f.port} accept";`
			`makeForward = f:`
			`let`
			`ipp = parseIPPort f.dst;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`"${f.proto} dport ${toString f.port} dnat ip${optionalString ipp.v6 "6"} to ${f.dst}";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
			`''`
			`table inet filter {`
			`chain filter-port-forwards {`
			`${concatMapStringsSep "\n " makeFilter cfg.nat.forwardPorts}`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`return`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain forward {`
Add initial installer 2022-02-17 15:47:24 +00:00			`${optionalString`
			`(cfg.nat.externalInterface != null)`
			`"iifname ${cfg.nat.externalInterface} jump filter-port-forwards"}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`table inet nat {`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain port-forward {`
			`${concatMapStringsSep "\n " makeForward cfg.nat.forwardPorts}`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`chain prerouting {`
Add initial installer 2022-02-17 15:47:24 +00:00			`${optionalString`
nixos/firewall: DNAT by IP instead of incoming interface 2023-04-21 15:44:30 +01:00			`(cfg.nat.externalIP != null)`
			`"ip daddr ${cfg.nat.externalIP} jump port-forward"}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`'';`
			`})`
			`]);`
Add capability to choose home-manager branch 2022-02-15 20:50:27 +00:00
			`meta.buildDocsInSandbox = false;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`