forked from mirrors/nixpkgs
nixos/firewall: Always use global firewall.allowed rules
Apply global firewall.allowed* rules separately from the interface specific rules.
This commit is contained in:
parent
0925c482c8
commit
551d2f7ed2
|
@ -151,39 +151,39 @@ let
|
|||
${concatStrings (mapAttrsToList (iface: cfg:
|
||||
concatMapStrings (port:
|
||||
''
|
||||
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"}
|
||||
''
|
||||
) cfg.allowedTCPPorts
|
||||
) cfg.interfaces)}
|
||||
) (cfg.interfaces // {any={allowedTCPPorts = cfg.allowedTCPPorts;};}))}
|
||||
|
||||
# Accept connections to the allowed TCP port ranges.
|
||||
${concatStrings (mapAttrsToList (iface: cfg:
|
||||
concatMapStrings (rangeAttr:
|
||||
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
|
||||
''
|
||||
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"}
|
||||
''
|
||||
) cfg.allowedTCPPortRanges
|
||||
) cfg.interfaces)}
|
||||
) (cfg.interfaces // {any={allowedTCPPortRanges = cfg.allowedTCPPortRanges;};}))}
|
||||
|
||||
# Accept packets on the allowed UDP ports.
|
||||
${concatStrings (mapAttrsToList (iface: cfg:
|
||||
concatMapStrings (port:
|
||||
''
|
||||
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"}
|
||||
''
|
||||
) cfg.allowedUDPPorts
|
||||
) cfg.interfaces)}
|
||||
) (cfg.interfaces // {any={allowedUDPPorts = cfg.allowedUDPPorts;};}))}
|
||||
|
||||
# Accept packets on the allowed UDP port ranges.
|
||||
${concatStrings (mapAttrsToList (iface: cfg:
|
||||
concatMapStrings (rangeAttr:
|
||||
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
|
||||
''
|
||||
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
|
||||
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "any") "-i ${iface}"}
|
||||
''
|
||||
) cfg.allowedUDPPortRanges
|
||||
) cfg.interfaces)}
|
||||
) (cfg.interfaces // {any={allowedUDPPortRanges = cfg.allowedUDPPortRanges;};}))}
|
||||
|
||||
# Accept IPv4 multicast. Not a big security risk since
|
||||
# probably nobody is listening anyway.
|
||||
|
@ -508,15 +508,11 @@ in
|
|||
};
|
||||
|
||||
interfaces = mkOption {
|
||||
default = {
|
||||
default = mapAttrs (name: value: cfg."${name}") commonOptions;
|
||||
};
|
||||
default = { };
|
||||
type = with types; attrsOf (submodule [ { options = commonOptions; } ]);
|
||||
description =
|
||||
''
|
||||
Interface-specific open ports. Setting this value will override
|
||||
all values of the <literal>networking.firewall.allowed*</literal>
|
||||
options.
|
||||
Interface-specific open ports.
|
||||
'';
|
||||
};
|
||||
} // commonOptions;
|
||||
|
|
Loading…
Reference in a new issue