summaryrefslogtreecommitdiff
path: root/modules/simple-firewall.nix
diff options
context:
space:
mode:
authorKjetil Orbekk <kj@orbekk.com>2021-03-07 20:34:57 -0500
committerKjetil Orbekk <kj@orbekk.com>2021-03-07 20:34:57 -0500
commit27136676414d506f26ee0a3e7aa38be545dd64e1 (patch)
tree4b05b5bb9b18264129c70bd97ceac68e5c2224fd /modules/simple-firewall.nix
parent397d074fa395afdfd02073e81cee5576b742f3b6 (diff)
More nftables
Diffstat (limited to 'modules/simple-firewall.nix')
-rw-r--r--modules/simple-firewall.nix49
1 files changed, 27 insertions, 22 deletions
diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix
index eda869a..2585a5d 100644
--- a/modules/simple-firewall.nix
+++ b/modules/simple-firewall.nix
@@ -30,35 +30,40 @@ in
let
csvPorts = ports: lib.concatStringsSep "," (map toString ports);
in ''
- table inet filter {
- chain allowed_ports {
- ${lib.optionalString (cfg.allowedTCPPorts != []) ''
- tcp dport {${csvPorts cfg.allowedTCPPorts}} counter accept
- ''}
- ${lib.optionalString (cfg.allowedUDPPorts != []) ''
- udp dport {${csvPorts cfg.allowedUDPPorts}} counter accept
- ''}
- }
+ table inet filter {
+ set allowed_tcp_ports {
+ type inet_service
+ ${lib.optionalString (cfg.allowedTCPPorts != [])''
+ elements = {${csvPorts cfg.allowedTCPPorts}}
+ ''}
+ }
+ set allowed_udp_ports {
+ type inet_service
+ ${lib.optionalString (cfg.allowedUDPPorts != [])''
+ elements = {${csvPorts cfg.allowedUDPPorts}}
+ ''}
+ }
- chain input {
- type filter hook input priority 0
+ chain input {
+ type filter hook input priority 0
- iif lo accept
+ iif lo accept
- ct state {established, related} accept
+ ct state {established, related} accept
- ip protocol icmp limit rate 4/second counter accept
- ip6 nexthdr ipv6-icmp limit rate 4/second counter accept
+ ip protocol icmp limit rate 4/second counter accept
+ ip6 nexthdr ipv6-icmp limit rate 4/second counter accept
- jump allowed_ports
+ tcp dport @allowed_tcp_ports counter accept
+ udp dport @allowed_udp_ports counter accept
- counter drop
- }
+ counter drop
+ }
- chain output {
- type filter hook output priority 0
- counter accept
- }
+ chain output {
+ type filter hook output priority 0
+ counter accept
+ }
}
'';
};