From f389de9c556791fc87c37c45320e62f8a78c9fb1 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 6 Apr 2024 14:55:48 +0200 Subject: [PATCH] nftables: use networking.firewall.allowed{TCP,UDP}Port{s,Ranges} This is a no-op as far as actual config is concerned, but allows using the usual networking options again, which before this commit were just old unused code lying around. There are still many other networking options which we set that currently do nothing (e.g. the network bridge to lxc). --- parsons/nftables.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/parsons/nftables.nix b/parsons/nftables.nix index 6e5ebc0..97776fe 100644 --- a/parsons/nftables.nix +++ b/parsons/nftables.nix @@ -1,5 +1,13 @@ { config, lib, pkgs, ... }: +let + cfg = config.networking.firewall; + mkPorts = ports: ranges: + lib.strings.concatStringsSep ", " + (map ({from, to}: "${toString from}-${toString to}") ranges + ++ + map toString ports); +in { networking.firewall.enable = false; networking.nat.enable = false; @@ -39,9 +47,9 @@ iifname { lo } accept - tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept + tcp dport { ${mkPorts cfg.allowedTCPPorts cfg.allowedTCPPortRanges} } accept - udp dport { 60000-61000, 64738 } accept + udp dport { ${mkPorts cfg.allowedUDPPorts cfg.allowedUDPPortRanges} } accept # DHCPv6 ip6 daddr fe80::/64 udp dport 546 accept