From 551d2f7ed2705636558010bf9e17fca29b0f67c7 Mon Sep 17 00:00:00 2001 From: Ben Blaxill Date: Sun, 18 Nov 2018 15:03:42 -0500 Subject: [PATCH 1/4] nixos/firewall: Always use global firewall.allowed rules Apply global firewall.allowed* rules separately from the interface specific rules. --- .../modules/services/networking/firewall.nix | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 86463f276c65..cf9f9b406e11 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -151,39 +151,39 @@ let ${concatStrings (mapAttrsToList (iface: cfg: concatMapStrings (port: '' - ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedTCPPorts - ) cfg.interfaces)} + ) (cfg.interfaces // {any={allowedTCPPorts = cfg.allowedTCPPorts;};}))} # Accept connections to the allowed TCP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: concatMapStrings (rangeAttr: let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in '' - ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedTCPPortRanges - ) cfg.interfaces)} + ) (cfg.interfaces // {any={allowedTCPPortRanges = cfg.allowedTCPPortRanges;};}))} # Accept packets on the allowed UDP ports. ${concatStrings (mapAttrsToList (iface: cfg: concatMapStrings (port: '' - ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedUDPPorts - ) cfg.interfaces)} + ) (cfg.interfaces // {any={allowedUDPPorts = cfg.allowedUDPPorts;};}))} # Accept packets on the allowed UDP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: concatMapStrings (rangeAttr: let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in '' - ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedUDPPortRanges - ) cfg.interfaces)} + ) (cfg.interfaces // {any={allowedUDPPortRanges = cfg.allowedUDPPortRanges;};}))} # Accept IPv4 multicast. Not a big security risk since # probably nobody is listening anyway. @@ -508,15 +508,11 @@ in }; interfaces = mkOption { - default = { - default = mapAttrs (name: value: cfg."${name}") commonOptions; - }; + default = { }; type = with types; attrsOf (submodule [ { options = commonOptions; } ]); description = '' - Interface-specific open ports. Setting this value will override - all values of the networking.firewall.allowed* - options. + Interface-specific open ports. ''; }; } // commonOptions; From 32779b4c74bac8478bf8dc1d1ce5fe47f6d84d88 Mon Sep 17 00:00:00 2001 From: Ben Blaxill Date: Tue, 20 Nov 2018 21:29:33 -0500 Subject: [PATCH 2/4] Refactor out the set operations --- nixos/modules/services/networking/firewall.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index cf9f9b406e11..9d5d9cfc87bd 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -58,6 +58,9 @@ let ${text} ''; in "${dir}/bin/${name}"; + anyInterface = { any = mapAttrs (name: value: cfg."${name}") commonOptions; }; + allInterfaces = anyInterface // cfg.interfaces; + startScript = writeShScript "firewall-start" '' ${helpers} @@ -154,7 +157,7 @@ let ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedTCPPorts - ) (cfg.interfaces // {any={allowedTCPPorts = cfg.allowedTCPPorts;};}))} + ) allInterfaces)} # Accept connections to the allowed TCP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: @@ -164,7 +167,7 @@ let ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedTCPPortRanges - ) (cfg.interfaces // {any={allowedTCPPortRanges = cfg.allowedTCPPortRanges;};}))} + ) allInterfaces)} # Accept packets on the allowed UDP ports. ${concatStrings (mapAttrsToList (iface: cfg: @@ -173,7 +176,7 @@ let ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedUDPPorts - ) (cfg.interfaces // {any={allowedUDPPorts = cfg.allowedUDPPorts;};}))} + ) allInterfaces)} # Accept packets on the allowed UDP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: @@ -183,7 +186,7 @@ let ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} '' ) cfg.allowedUDPPortRanges - ) (cfg.interfaces // {any={allowedUDPPortRanges = cfg.allowedUDPPortRanges;};}))} + ) allInterfaces)} # Accept IPv4 multicast. Not a big security risk since # probably nobody is listening anyway. From b48c6d051bc621a8f4fe5f5ebf2a846c97dfa971 Mon Sep 17 00:00:00 2001 From: Ben Blaxill Date: Wed, 21 Nov 2018 17:08:12 -0500 Subject: [PATCH 3/4] Add release notes --- nixos/doc/manual/release-notes/rl-1903.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index a1f715a3adf1..82f040d668fe 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -220,6 +220,13 @@ reset to the default value (false). + + + NixOS global firewall allow options (networking.firewall.allow*) + are now preserved when setting interface specific rules such as + networking.firewall.interfaces.en0.allow*. + + From 308ab4ea25f7d6368ba5b7713fa4ef82cdf8e95e Mon Sep 17 00:00:00 2001 From: Ben Blaxill Date: Thu, 22 Nov 2018 19:24:23 -0500 Subject: [PATCH 4/4] Rename back to default and better release notes --- nixos/doc/manual/release-notes/rl-1903.xml | 10 +++++++--- nixos/modules/services/networking/firewall.nix | 12 ++++++------ 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 82f040d668fe..45f77d7f415a 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -222,9 +222,13 @@ - NixOS global firewall allow options (networking.firewall.allow*) - are now preserved when setting interface specific rules such as - networking.firewall.interfaces.en0.allow*. + Network interface indiscriminate NixOS firewall options + (networking.firewall.allow*) are now preserved when also + setting interface specific rules such as networking.firewall.interfaces.en0.allow*. + These rules continue to use the pseudo device "default" + (networking.firewall.interfaces.default.*), and assigning + to this pseudo device will override the (networking.firewall.allow*) + options. diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 9d5d9cfc87bd..aba64e4f60ff 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -58,8 +58,8 @@ let ${text} ''; in "${dir}/bin/${name}"; - anyInterface = { any = mapAttrs (name: value: cfg."${name}") commonOptions; }; - allInterfaces = anyInterface // cfg.interfaces; + defaultInterface = { default = mapAttrs (name: value: cfg."${name}") commonOptions; }; + allInterfaces = defaultInterface // cfg.interfaces; startScript = writeShScript "firewall-start" '' ${helpers} @@ -154,7 +154,7 @@ let ${concatStrings (mapAttrsToList (iface: cfg: concatMapStrings (port: '' - ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} + ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedTCPPorts ) allInterfaces)} @@ -164,7 +164,7 @@ let concatMapStrings (rangeAttr: let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in '' - ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} + ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedTCPPortRanges ) allInterfaces)} @@ -173,7 +173,7 @@ let ${concatStrings (mapAttrsToList (iface: cfg: concatMapStrings (port: '' - ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} + ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedUDPPorts ) allInterfaces)} @@ -183,7 +183,7 @@ let concatMapStrings (rangeAttr: let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in '' - ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"} + ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedUDPPortRanges ) allInterfaces)}