Merge pull request #50641 from blaxill/firewallMerge

nixos/firewall: Always use global firewall.allowed rules
2018-11-23 11:42:16 +00:00 · 2018-11-23 11:42:16 +00:00 · d3aeed389c
commit d3aeed389c
parent 7acd4eb51b 308ab4ea25
2 changed files with 20 additions and 10 deletions
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@ -222,6 +222,17 @@
     reset to the default value (<literal>false</literal>).
    </para>
   </listitem>
+   <listitem>
+    <para>
+     Network interface indiscriminate NixOS firewall options
+     (<literal>networking.firewall.allow*</literal>) are now preserved when also
+     setting interface specific rules such as <literal>networking.firewall.interfaces.en0.allow*</literal>.
+     These rules continue to use the pseudo device "default"
+     (<literal>networking.firewall.interfaces.default.*</literal>), and assigning
+     to this pseudo device will override the (<literal>networking.firewall.allow*</literal>)
+     options.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -58,6 +58,9 @@ let
    ${text}
  ''; in "${dir}/bin/${name}";

+  defaultInterface = { default = mapAttrs (name: value: cfg."${name}") commonOptions; };
+  allInterfaces = defaultInterface // cfg.interfaces;
+
  startScript = writeShScript "firewall-start" ''
    ${helpers}

@ -154,7 +157,7 @@ let
          ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
        ''
      ) cfg.allowedTCPPorts
-    ) cfg.interfaces)}
+    ) allInterfaces)}

    # Accept connections to the allowed TCP port ranges.
    ${concatStrings (mapAttrsToList (iface: cfg:
@ -164,7 +167,7 @@ let
          ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
        ''
      ) cfg.allowedTCPPortRanges
-    ) cfg.interfaces)}
+    ) allInterfaces)}

    # Accept packets on the allowed UDP ports.
    ${concatStrings (mapAttrsToList (iface: cfg:
@ -173,7 +176,7 @@ let
          ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
        ''
      ) cfg.allowedUDPPorts
-    ) cfg.interfaces)}
+    ) allInterfaces)}

    # Accept packets on the allowed UDP port ranges.
    ${concatStrings (mapAttrsToList (iface: cfg:
@ -183,7 +186,7 @@ let
          ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
        ''
      ) cfg.allowedUDPPortRanges
-    ) cfg.interfaces)}
+    ) allInterfaces)}

    # Accept IPv4 multicast.  Not a big security risk since
    # probably nobody is listening anyway.
@ -508,15 +511,11 @@ in
      };

      interfaces = mkOption {
-        default = {
-          default = mapAttrs (name: value: cfg."${name}") commonOptions;
-        };
+        default = { };
        type = with types; attrsOf (submodule [ { options = commonOptions; } ]);
        description =
          ''
-            Interface-specific open ports. Setting this value will override
-            all values of the <literal>networking.firewall.allowed*</literal>
-            options.
+            Interface-specific open ports.
          '';
      };
    } // commonOptions;