iptables module: add compat layer to networking.firewall

This commit is contained in:
lassulus 2021-12-21 12:38:07 +01:00
parent d6f79283bf
commit 0a7d779cc1

View File

@ -73,7 +73,7 @@ let
}; };
}; };
imp = { imp = mkMerge ([{
networking.firewall.enable = false; networking.firewall.enable = false;
systemd.services.krebs-iptables = { systemd.services.krebs-iptables = {
@ -97,7 +97,41 @@ let
unitConfig.DefaultDependencies = false; unitConfig.DefaultDependencies = false;
}; };
}; }] ++ compat);
compat = [
({
krebs.iptables.tables.filter.INPUT.rules = map
(port: { predicate = "-p tcp --dport ${toString port}"; target = "ACCEPT"; })
config.networking.firewall.allowedTCPPorts;
})
({
krebs.iptables.tables.filter.INPUT.rules = map
(port: { predicate = "-p udp --dport ${toString port}"; target = "ACCEPT"; })
config.networking.firewall.allowedUDPPorts;
})
({
krebs.iptables.tables.filter.INPUT.rules = map
(portRange: { predicate = "-p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; })
config.networking.firewall.allowedTCPPortRanges;
})
({
krebs.iptables.tables.filter.INPUT.rules = map
(portRange: { predicate = "-p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; })
config.networking.firewall.allowedUDPPortRanges;
})
({
krebs.iptables.tables.filter.INPUT.rules = flatten (mapAttrsToList
(interface: interfaceConfig: [
(map (port: { predicate = "-i ${interface} -p tcp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPorts)
(map (port: { predicate = "-i ${interface} -p udp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPorts)
(map (portRange: { predicate = "-i ${interface} -p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPortRanges)
(map (portRange: { predicate = "-i ${interface} -p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPortRanges)
])
config.networking.firewall.interfaces
);
})
];
#buildTable :: iptablesVersion -> iptablesAttrSet` -> str #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
#todo: differentiate by iptables-version #todo: differentiate by iptables-version