dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/modules/firewall: Inherit networking.firewall.allowed*Ports

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-02-17 17:08:25 +00:00
parent 21ce843a8f
commit 778f635542
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/common.nix
View File

@ -122,7 +122,7 @@ in
}; };
openssh = { openssh = {
enable = true; enable = mkDefault true;
}; };
}; };

8
nixos/modules/firewall.nix
View File

@ -10,7 +10,7 @@ in
enable = mkBoolOpt' true "Whether to enable the nftables-based firewall."; enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";
trustedInterfaces = options.networking.firewall.trustedInterfaces; trustedInterfaces = options.networking.firewall.trustedInterfaces;
tcp = { tcp = {
allowed = mkOpt' (listOf (either port str)) [ "ssh" ] "TCP ports to open."; allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";
}; };
udp = { udp = {
allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open."; allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
@ -32,14 +32,16 @@ in
ruleset = ruleset =
let let
trusted' = "{ ${concatStringsSep ", " cfg.trustedInterfaces} }"; trusted' = "{ ${concatStringsSep ", " cfg.trustedInterfaces} }";
openTCP = cfg.tcp.allowed ++ config.networking.firewall.allowedTCPPorts;
openUDP = cfg.udp.allowed ++ config.networking.firewall.allowedUDPPorts;
in in
'' ''
table inet filter { table inet filter {
chain wan-tcp { chain wan-tcp {
${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") cfg.tcp.allowed} ${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP}
} }
chain wan-udp { chain wan-udp {
${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") cfg.udp.allowed} ${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP}
} }
chain wan { chain wan {