parsons/nftables.nix

@@ -1,5 +1,13 @@
 { config, lib, pkgs, ... }:
 
+let
+  cfg = config.networking.firewall;
+  mkPorts = ports: ranges:
+    lib.strings.concatStringsSep ", "
+      (map ({from, to}: "${toString from}-${toString to}") ranges
+       ++
+       map toString ports);
+in
 {
   networking.firewall.enable = false;
   networking.nat.enable = false;
@@ -39,9 +47,9 @@
 
           iifname { lo } accept
 
-          tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
+          tcp dport { ${mkPorts cfg.allowedTCPPorts cfg.allowedTCPPortRanges} } accept
 
-          udp dport { 60000-61000, 64738 } accept
+          udp dport { ${mkPorts cfg.allowedUDPPorts cfg.allowedUDPPortRanges} } accept
 
           # DHCPv6
           ip6 daddr fe80::/64 udp dport 546 accept