Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tv iptables: admit wiregrill

Browse Source
This commit is contained in:
tv 2022-11-09 15:44:06 +01:00
parent 2cd5ed1699
commit 1b1632dfb5
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
tv/3modules/iptables.nix
View File

@ -34,6 +34,10 @@ with import ./lib;
type = with types; listOf str; type = with types; listOf str;
default = []; default = [];
}; };
filter.Wiregrill = mkOption {
type = with types; listOf str;
default = [];
};
}; };
}; };
}; };
@ -66,6 +70,16 @@ with import ./lib;
default = []; default = [];
}; };
input-wiregrill-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-wiregrill-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
extra = mkOption { extra = mkOption {
default = {}; default = {};
type = extraTypes.rules; type = extraTypes.rules;
@ -141,6 +155,7 @@ with import ./lib;
:FORWARD DROP [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:Retiolum - [0:0] :Retiolum - [0:0]
:Wiregrill - [0:0]
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([] ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
++ [ ++ [
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
@ -150,6 +165,7 @@ with import ./lib;
++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp)) ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-internet-accept-udp)) ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
++ ["-i retiolum -j Retiolum"] ++ ["-i retiolum -j Retiolum"]
++ ["-i wiregrill -j Wiregrill"]
)} )}
${formatTable cfg.extra.filter} ${formatTable cfg.extra.filter}
${formatTable cfg."extra${toString iptables-version}".filter} ${formatTable cfg."extra${toString iptables-version}".filter}
@ -170,6 +186,23 @@ with import ./lib;
]; ];
}."ip${toString iptables-version}tables" }."ip${toString iptables-version}tables"
)} )}
${concatMapStringsSep "\n" (rule: "-A Wiregrill ${rule}") ([]
++ optional (cfg.accept-echo-request == "wiregrill") accept-echo-request
++ map accept-tcp (unique (map toString cfg.input-wiregrill-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-wiregrill-accept-udp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp-port-unreachable"
"-j REJECT --reject-with icmp-proto-unreachable"
];
ip6tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
"-j REJECT"
];
}."ip${toString iptables-version}tables"
)}
COMMIT COMMIT
''; '';
} }