colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

net: fix broken firewall/ipset setup

Browse Source
This commit is contained in:
Colin 2023-12-31 14:25:36 +00:00
parent 0028c41bdc
commit 103d11a87c
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/common/net.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }: { lib, pkgs, ... }:
{ {
# the default backend is "wpa_supplicant". # the default backend is "wpa_supplicant".
@ -39,14 +39,16 @@
1900 # to received UPnP advertisements. required by sane-ip-check-upnp 1900 # to received UPnP advertisements. required by sane-ip-check-upnp
]; ];
networking.firewall.extraCommands = '' networking.firewall.extraCommands = with pkgs; ''
# after an outgoing SSDP query to the multicast address, open FW for incoming responses. # after an outgoing SSDP query to the multicast address, open FW for incoming responses.
# necessary for anything DLNA, especially go2tv # necessary for anything DLNA, especially go2tv
# source: <https://serverfault.com/a/911286> # source: <https://serverfault.com/a/911286>
# context: <https://github.com/alexballas/go2tv/issues/72> # context: <https://github.com/alexballas/go2tv/issues/72>
ipset create upnp hash:ip,port timeout 10
iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist # ipset -! means "don't fail if set already exists"
iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT ${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
''; '';
# keyfile.path = where networkmanager should look for connection credentials # keyfile.path = where networkmanager should look for connection credentials