Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

iptables module: add compat layer to networking.firewall

Browse Source
This commit is contained in:
lassulus 2021-12-21 12:38:07 +01:00
parent d6f79283bf
commit 0a7d779cc1
1 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
krebs/3modules/iptables.nix
View File

@ -73,7 +73,7 @@ let
};
};
imp = {
imp = mkMerge ([{
networking.firewall.enable = false;
systemd.services.krebs-iptables = {
@ -97,7 +97,41 @@ let
unitConfig.DefaultDependencies = false;
};
};
}] ++ compat);
compat = [
({
krebs.iptables.tables.filter.INPUT.rules = map
(port: { predicate = "-p tcp --dport ${toString port}"; target = "ACCEPT"; })
config.networking.firewall.allowedTCPPorts;
})
({
krebs.iptables.tables.filter.INPUT.rules = map
(port: { predicate = "-p udp --dport ${toString port}"; target = "ACCEPT"; })
config.networking.firewall.allowedUDPPorts;
})
({
krebs.iptables.tables.filter.INPUT.rules = map
(portRange: { predicate = "-p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; })
config.networking.firewall.allowedTCPPortRanges;
})
({
krebs.iptables.tables.filter.INPUT.rules = map
(portRange: { predicate = "-p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; })
config.networking.firewall.allowedUDPPortRanges;
})
({
krebs.iptables.tables.filter.INPUT.rules = flatten (mapAttrsToList
(interface: interfaceConfig: [
(map (port: { predicate = "-i ${interface} -p tcp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPorts)
(map (port: { predicate = "-i ${interface} -p udp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPorts)
(map (portRange: { predicate = "-i ${interface} -p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPortRanges)
(map (portRange: { predicate = "-i ${interface} -p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPortRanges)
])
config.networking.firewall.interfaces
);
})
];
#buildTable :: iptablesVersion -> iptablesAttrSet` -> str
#todo: differentiate by iptables-version