Merge pull request #50641 from blaxill/firewallMerge
nixos/firewall: Always use global firewall.allowed rules
This commit is contained in:
commit
d3aeed389c
@ -222,6 +222,17 @@
|
|||||||
reset to the default value (<literal>false</literal>).
|
reset to the default value (<literal>false</literal>).
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Network interface indiscriminate NixOS firewall options
|
||||||
|
(<literal>networking.firewall.allow*</literal>) are now preserved when also
|
||||||
|
setting interface specific rules such as <literal>networking.firewall.interfaces.en0.allow*</literal>.
|
||||||
|
These rules continue to use the pseudo device "default"
|
||||||
|
(<literal>networking.firewall.interfaces.default.*</literal>), and assigning
|
||||||
|
to this pseudo device will override the (<literal>networking.firewall.allow*</literal>)
|
||||||
|
options.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -58,6 +58,9 @@ let
|
|||||||
${text}
|
${text}
|
||||||
''; in "${dir}/bin/${name}";
|
''; in "${dir}/bin/${name}";
|
||||||
|
|
||||||
|
defaultInterface = { default = mapAttrs (name: value: cfg."${name}") commonOptions; };
|
||||||
|
allInterfaces = defaultInterface // cfg.interfaces;
|
||||||
|
|
||||||
startScript = writeShScript "firewall-start" ''
|
startScript = writeShScript "firewall-start" ''
|
||||||
${helpers}
|
${helpers}
|
||||||
|
|
||||||
@ -154,7 +157,7 @@ let
|
|||||||
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||||
''
|
''
|
||||||
) cfg.allowedTCPPorts
|
) cfg.allowedTCPPorts
|
||||||
) cfg.interfaces)}
|
) allInterfaces)}
|
||||||
|
|
||||||
# Accept connections to the allowed TCP port ranges.
|
# Accept connections to the allowed TCP port ranges.
|
||||||
${concatStrings (mapAttrsToList (iface: cfg:
|
${concatStrings (mapAttrsToList (iface: cfg:
|
||||||
@ -164,7 +167,7 @@ let
|
|||||||
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||||
''
|
''
|
||||||
) cfg.allowedTCPPortRanges
|
) cfg.allowedTCPPortRanges
|
||||||
) cfg.interfaces)}
|
) allInterfaces)}
|
||||||
|
|
||||||
# Accept packets on the allowed UDP ports.
|
# Accept packets on the allowed UDP ports.
|
||||||
${concatStrings (mapAttrsToList (iface: cfg:
|
${concatStrings (mapAttrsToList (iface: cfg:
|
||||||
@ -173,7 +176,7 @@ let
|
|||||||
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||||
''
|
''
|
||||||
) cfg.allowedUDPPorts
|
) cfg.allowedUDPPorts
|
||||||
) cfg.interfaces)}
|
) allInterfaces)}
|
||||||
|
|
||||||
# Accept packets on the allowed UDP port ranges.
|
# Accept packets on the allowed UDP port ranges.
|
||||||
${concatStrings (mapAttrsToList (iface: cfg:
|
${concatStrings (mapAttrsToList (iface: cfg:
|
||||||
@ -183,7 +186,7 @@ let
|
|||||||
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||||
''
|
''
|
||||||
) cfg.allowedUDPPortRanges
|
) cfg.allowedUDPPortRanges
|
||||||
) cfg.interfaces)}
|
) allInterfaces)}
|
||||||
|
|
||||||
# Accept IPv4 multicast. Not a big security risk since
|
# Accept IPv4 multicast. Not a big security risk since
|
||||||
# probably nobody is listening anyway.
|
# probably nobody is listening anyway.
|
||||||
@ -508,15 +511,11 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
interfaces = mkOption {
|
interfaces = mkOption {
|
||||||
default = {
|
default = { };
|
||||||
default = mapAttrs (name: value: cfg."${name}") commonOptions;
|
|
||||||
};
|
|
||||||
type = with types; attrsOf (submodule [ { options = commonOptions; } ]);
|
type = with types; attrsOf (submodule [ { options = commonOptions; } ]);
|
||||||
description =
|
description =
|
||||||
''
|
''
|
||||||
Interface-specific open ports. Setting this value will override
|
Interface-specific open ports.
|
||||||
all values of the <literal>networking.firewall.allowed*</literal>
|
|
||||||
options.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
} // commonOptions;
|
} // commonOptions;
|
||||||
|
Loading…
Reference in New Issue
Block a user