From e760569b3e6b4f54b878933685d6c7d38c52bb37 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Wed, 20 Dec 2023 22:59:51 +0000
Subject: [PATCH] Don't blindly trust as211024

---
 lib/constants.nix                           | 19 +++++++++++++++++++
 nixos/boxes/britway/default.nix             |  8 +++++++-
 nixos/boxes/colony/vms/estuary/default.nix  |  4 ++--
 nixos/boxes/home/routing-common/default.nix |  6 ++++--
 4 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/lib/constants.nix b/lib/constants.nix
index 4677b9c..7c556b2 100644
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -281,6 +281,25 @@ rec {
     };
   };
 
+  as211024 = rec {
+    trusted = {
+      v4 = [
+        colony.prefixes.all.v4
+        home.prefixes.all.v4
+        tailscale.prefix.v4
+      ];
+      v6 = [
+        colony.prefixes.all.v6
+        home.prefixes.all.v6
+        tailscale.prefix.v6
+      ];
+    };
+    nftTrust = ''
+      iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
+      iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
+    '';
+  };
+
   kelder = {
     groups = {
       storage = 2000;
diff --git a/nixos/boxes/britway/default.nix b/nixos/boxes/britway/default.nix
index 6981bbd..4a6a105 100644
--- a/nixos/boxes/britway/default.nix
+++ b/nixos/boxes/britway/default.nix
@@ -150,8 +150,14 @@ in
               };
 
               firewall = {
-                trustedInterfaces = [ "as211024" "tailscale0" ];
+                trustedInterfaces = [ "tailscale0" ];
                 extraRules = ''
+                  table inet filter {
+                    chain forward {
+                      ${lib.my.c.as211024.nftTrust}
+                      oifname as211024 accept
+                    }
+                  }
                   table inet nat {
                     chain postrouting {
                       iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix
index c86a40f..d86402c 100644
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -366,7 +366,6 @@ in
                 };
               };
               firewall = {
-                trustedInterfaces = [ "as211024" ];
                 udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
                 tcp.allowed = [ 5353 "bgp" ];
                 nat = {
@@ -416,7 +415,8 @@ in
                     }
 
                     chain forward {
-                      iifname { wan, $ixps } oifname base jump filter-routing
+                      ${lib.my.c.as211024.nftTrust}
+                      iifname { wan, as211024, $ixps } oifname base jump filter-routing
                       oifname $ixps jump ixp
                       iifname base oifname { base, wan, $ixps } accept
                       oifname { as211024, kelder } accept
diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix
index 70d6b34..3bbcdc7 100644
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -311,7 +311,7 @@ in
               };
             };
             firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" ];
               udp.allowed = [ 5353 ];
               tcp.allowed = [ 5353 ];
               nat = {
@@ -358,8 +358,10 @@ in
                   }
 
                   chain forward {
+                    ${lib.my.c.as211024.nftTrust}
                     iifname lan-untrusted jump filter-untrusted
-                    iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
+                    iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
+                    oifname as211024 accept
                   }
                   chain output { }
                 }