diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index cf9f9b406e11..9d5d9cfc87bd 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -58,6 +58,9 @@ let ${text} ''; in "${dir}/bin/${name}"; + anyInterface = { any = mapAttrs (name: value: cfg."${name}") commonOptions; }; + allInterfaces = anyInterface // cfg.interfaces; + startScript = writeShScript "firewall-start" '' ${helpers} @@ -154,7 +157,7 @@ let ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedTCPPorts - ) (cfg.interfaces // {any={allowedTCPPorts = cfg.allowedTCPPorts;};}))} + ) allInterfaces)} # Accept connections to the allowed TCP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: @@ -164,7 +167,7 @@ let ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedTCPPortRanges - ) (cfg.interfaces // {any={allowedTCPPortRanges = cfg.allowedTCPPortRanges;};}))} + ) allInterfaces)} # Accept packets on the allowed UDP ports. ${concatStrings (mapAttrsToList (iface: cfg: @@ -173,7 +176,7 @@ let ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedUDPPorts - ) (cfg.interfaces // {any={allowedUDPPorts = cfg.allowedUDPPorts;};}))} + ) allInterfaces)} # Accept packets on the allowed UDP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: @@ -183,7 +186,7 @@ let ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedUDPPortRanges - ) (cfg.interfaces // {any={allowedUDPPortRanges = cfg.allowedUDPPortRanges;};}))} + ) allInterfaces)} # Accept IPv4 multicast. Not a big security risk since # probably nobody is listening anyway.