go2tv: remove firewall fix and allow SSDP at the iptables layer

hosts/common/net.nix

@@ -39,6 +39,16 @@
     1900  # to received UPnP advertisements. required by sane-ip-check-upnp
   ];
 
+  networking.firewall.extraCommands = ''
+    # after an outgoing SSDP query to the multicast address, open FW for incoming responses.
+    # necessary for anything DLNA, especially go2tv
+    # source: <https://serverfault.com/a/911286>
+    # context: <https://github.com/alexballas/go2tv/issues/72>
+    ipset create upnp hash:ip,port timeout 10
+    iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
+    iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
+  '';
+
   # keyfile.path = where networkmanager should look for connection credentials
   networking.networkmanager.extraConfig = ''
     [keyfile]

hosts/common/programs/go2tv.nix

@@ -28,24 +28,6 @@ let
   cfg = config.sane.programs.go2tv;
 in
 {
-  sane.programs.go2tv = {
-    package = pkgs.go2tv.overrideAttrs (orig: {
-      # SSDP doesn't do well with default firewall rules.
-      # - go2tv sends a UDP M-Search from localhost port P to the broadcast address.
-      # - UPNP sinks respond to localhost port P.
-      # - firewall can't track that "connection", because the address which contacts us isn't the same as the address we queried.
-      #
-      # to workaround this, force go2tv to query from a fixed *source* port.
-      # then the responses will likewise be to a fixed *dest* port, and we can open that port
-      postPatch = (orig.postPatch or "") + ''
-        substituteInPlace devices/devices.go \
-          --replace 'ssdp.Search(ssdp.All, delay, "")' 'ssdp.Search(ssdp.All, delay, "0.0.0.0:1901")'
-      '';
-    });
-  };
-
-  # necessary to discover local UPNP endpoints
-  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enabled [ 1901 ];
   # for serving local files
   # see: go2tv/soapcalls/utils/iptools.go
   networking.firewall.allowedTCPPorts = lib.mkIf cfg.enabled [ 3500 ];