commit b71d792caadd0c200bebf8c615d9f741ddce4711 · kitten.sh/system

+10 -10

modules/router/nftables.nix

···

       5
       5
        
         cfg = config.modules.router;

     

       6
       6
        
       

     

       7
       7
        
         intern = cfg.interfaces.internal;

     

       8
       8
       -
         extern = cfg.interfaces.external;

     

       8
       8
       +
         trustedInterfaces = config.networking.firewall.trustedInterfaces;

     

       9
       9
       +
         internalInterfaces = lists.remove "lo" trustedInterfaces;

     

       9
       10
        
       

     

       10
       10
       -
         trustedInterfaces =

     

       11
       11
       -
           strings.concatMapStringsSep ", " strings.escapeNixIdentifier config.networking.firewall.trustedInterfaces;

     

       11
       11
       +
         concatIfnames = strings.concatMapStringsSep ", " strings.escapeNixIdentifier;

     

       12
       12
        
       

     

       13
       13
        
         capturePortsRules =

     

       14
       14
        
           strings.concatStringsSep "\n"

     

       15
       15
       -
             (builtins.map (port: "  iifname { ${trustedInterfaces} } udp dport ${toString port} redirect to ${toString port}") cfg.nftables.capturePorts);

     

       15
       15
       +
             (builtins.map (port: "  iifname { ${concatIfnames internalInterfaces} } udp dport ${toString port} redirect to ${toString port}") cfg.nftables.capturePorts);

     

       16
       16
        
       

     

       17
       17
        
         blockForwardRules =

     

       18
       18
        
           if intern != null then

     
···

       64
       64
        
       

     

       65
       65
        
                 chain postrouting {

     

       66
       66
        
                   type nat hook postrouting priority 0; policy accept;

     

       67
       67
       -
                   oifname != { ${trustedInterfaces} } masquerade

     

       67
       67
       +
                   oifname != { ${concatIfnames trustedInterfaces} } masquerade

     

       68
       68
        
                 }

     

       69
       69
        
       

     

       70
       70
        
                 chain input {

     

       71
       71
        
                   type filter hook input priority 0;

     

       72
       72
        
                   ct state { established, related } accept

     

       73
       73
        
                   ct state invalid drop

     

       74
       74
       -
                   iifname { ${trustedInterfaces} } accept

     

       75
       75
       -
                   iifname { ${trustedInterfaces} } pkttype { broadcast, multicast } accept

     

       74
       74
       +
                   iifname { ${concatIfnames trustedInterfaces} } accept

     

       75
       75
       +
                   iifname { ${concatIfnames trustedInterfaces} } pkttype { broadcast, multicast } accept

     

       76
       76
        
                   tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop

     

       77
       77
        
                   tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop

     

       78
       78
        
                   tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop

     
···

       93
       93
        
                   ip6 nexthdr ipv6-icmp accept

     

       94
       94
        
                   udp dport dhcpv6-client accept

     

       95
       95
        
                   ${blockForwardRules}

     

       96
       96
       -
                   iifname { ${trustedInterfaces} } accept

     

       97
       97
       -
                   oifname { ${trustedInterfaces} } ct state { established, related } accept

     

       96
       96
       +
                   iifname { ${concatIfnames trustedInterfaces} } accept

     

       97
       97
       +
                   oifname { ${concatIfnames trustedInterfaces} } ct state { established, related } accept

     

       98
       98
        
                   ct state invalid drop

     

       99
       99
        
                 }

     

       100
       100
        
       

     
···

       113
       113
        
               content = ''

     

       114
       114
        
                 chain input {

     

       115
       115
        
                   type filter hook input priority 0; policy accept;

     

       116
       116
       -
                   iifname != { ${trustedInterfaces} } limit rate 1/second burst 2 packets accept

     

       116
       116
       +
                   iifname != { ${concatIfnames trustedInterfaces} } limit rate 1/second burst 2 packets accept

     

       117
       117
        
                 }

     

       118
       118
        
       

     

       119
       119
        
                 chain output {

+14 -9

modules/router/timeserver.nix

···

       4
       4
        
       let

     

       5
       5
        
         cfg = config.modules.router;

     

       6
       6
        
       

     

       7
       7
       -
         listenInterfaces =

     

       8
       8
       -
           strings.concatStringsSep "\n"

     

       9
       9
       -
             (builtins.map (ifname: "interface listen ${ifname}") config.networking.firewall.trustedInterfaces);

     

       7
       7
       +
         intern = cfg.interfaces.internal;

     

       10
       8
        
       

     

       11
       11
       -
         ntpExtraConfig = ''

     

       12
       12
       -
           ${listenInterfaces}

     

       13
       13
       -
           interface ignore ${cfg.interfaces.external.name}

     

       14
       14
       -
         '';

     

       9
       9
       +
         bindDevices =

     

       10
       10
       +
           strings.concatStringsSep "\n"

     

       11
       11
       +
             (builtins.map (ifname: "binddevice ${ifname}")

     

       12
       12
       +
               (lists.remove "lo" config.networking.firewall.trustedInterfaces));

     

       15
       13
        
       in {

     

       16
       14
        
         options.modules.router = {

     

       17
       15
        
           timeserver.enable = mkOption {

     
···

       24
       22
        
         config = mkIf cfg.timeserver.enable {

     

       25
       23
        
           networking.timeServers = [ "time.cloudflare.com" ];

     

       26
       24
        
       

     

       27
       27
       -
           services.ntp = {

     

       25
       25
       +
           services.chrony = {

     

       28
       26
        
             enable = true;

     

       29
       29
       -
             extraConfig = ntpExtraConfig;

     

       27
       27
       +
             enableNTS = true;

     

       28
       28
       +
             extraConfig = ''

     

       29
       29
       +
               allow ${intern.cidr}

     

       30
       30
       +
               ${bindDevices}

     

       31
       31
       +
             '';

     

       30
       32
        
           };

     

       33
       33
       +
       

     

       34
       34
       +
           services.ntp.enable = false;

     

       35
       35
       +
           services.openntpd.enable = false;

     

       31
       36
        
         };

     

       32
       37
        
       }