net: fix broken firewall/ipset setup

2023-12-31 14:25:36 +00:00 · 2023-12-31 14:25:36 +00:00 · 103d11a87c
commit 103d11a87c
parent 0028c41bdc
1 changed files with 7 additions and 5 deletions
--- a/hosts/common/net.nix
+++ b/hosts/common/net.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:

 {
  # the default backend is "wpa_supplicant".
@ -39,14 +39,16 @@
    1900  # to received UPnP advertisements. required by sane-ip-check-upnp
  ];

-  networking.firewall.extraCommands = ''
+  networking.firewall.extraCommands = with pkgs; ''
    # after an outgoing SSDP query to the multicast address, open FW for incoming responses.
    # necessary for anything DLNA, especially go2tv
    # source: <https://serverfault.com/a/911286>
    # context: <https://github.com/alexballas/go2tv/issues/72>
-    ipset create upnp hash:ip,port timeout 10
-    iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
-    iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
+
+    # ipset -! means "don't fail if set already exists"
+    ${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
+    ${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
+    ${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
  '';

  # keyfile.path = where networkmanager should look for connection credentials