patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

broken: nft filter own packets

Browse source
This commit is contained in:
Patrick 2025-01-02 22:04:16 +01:00
parent 8945812b8c
commit 690f98b0a6
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
5 changed files with 106 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
config/basic/net.nix
View file

@ -1,11 +1,11 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }:
{ {
networking = { networking = {
search = [ "local" ];
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
useDHCP = false; useDHCP = false;
@ -42,5 +42,31 @@
MulticastDNS=true MulticastDNS=true
''; '';
}; };
networking.nftables.ruleset = ''
table inet mdns {
set OWN_IPS {
typeof ip saddr
elements = { 127.0.0.1 }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
udp dport 5353 ip saddr @OWN_IPS drop;
}
}
'';
services.networkd-dispatcher = {
enable = true;
rules = {
disable-mdns = {
onState = [ "configured" ];
script = ''
ADDRS=$(${lib.getExe' pkgs.iproute2 "ip"} -j -o addr | ${lib.getExe pkgs.jq} -r ".[] | .addr_info[] | select(.dev != \"lo\") | .local")
for i in $ADDRS; do
${lib.getExe pkgs.nftables} add element inet mdns OWN_IPS "{ $i }"
done
'';
};
};
};
} }

47
config/services/hostapd.nix
View file

@ -16,7 +16,10 @@
intel2200BGFirmware intel2200BGFirmware
]; ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ]; networking.nftables.firewall.zones.untrusted.interfaces = [
"lan-services"
"lan-home"
];
hardware.wirelessRegulatoryDatabase = true; hardware.wirelessRegulatoryDatabase = true;
# systemd.network = { # systemd.network = {
# netdevs."40-wifi-home" = { # netdevs."40-wifi-home" = {
@ -40,28 +43,28 @@
# }; # };
# }; # };
networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ]; # networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
networking.nftables.firewall.zones.home.interfaces = [ "lan-home" ]; # networking.nftables.firewall.zones.home.interfaces = [ "lan-home" ];
networking.nftables.firewall.rules.wifi-forward = { # networking.nftables.firewall.rules.wifi-forward = {
from = [ "wlan" ]; # from = [ "wlan" ];
to = [ "lan-home" ]; # to = [ "home" ];
verdict = "accept"; # verdict = "accept";
}; # };
systemd.network.networks."40-wifi" = { # systemd.network.networks."40-wifi" = {
matchConfig.Name = "lan-home"; # matchConfig.Name = "wlan1";
address = [ # address = [
(lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv4) # (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv4)
(lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv6) # (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv6)
]; # ];
gateway = [ # gateway = [
(lib.net.cidr.host 1 globals.net.vlans.home.cidrv4) # (lib.net.cidr.host 1 globals.net.vlans.home.cidrv4)
(lib.net.cidr.host 1 globals.net.vlans.home.cidrv6) # (lib.net.cidr.host 1 globals.net.vlans.home.cidrv6)
]; # ];
#
}; # };
#
services.hostapd = { services.hostapd = {
enable = true; # enable = true;
radios.wlan1 = { radios.wlan1 = {
band = "2g"; band = "2g";
countryCode = "DE"; countryCode = "DE";

2
hosts/nucnix/guests.nix
View file

@ -112,7 +112,7 @@ in
// mkContainer "nginx" { } // mkContainer "nginx" { }
// mkMicrovm "hostapd" { // mkMicrovm "hostapd" {
vlans = [ vlans = [
"guests" # "guests"
"home" "home"
"services" "services"
]; ];

14
hosts/nucnix/mdns.nix
View file

@ -8,6 +8,12 @@ let
cfg = { cfg = {
interfaces = "lan-.*"; interfaces = "lan-.*";
rules = [ rules = [
{
from = ".*";
to = "lan-home";
allow_questions = "";
allow_answers = ".*";
}
{ {
from = "lan-home"; from = "lan-home";
to = "lan-services"; to = "lan-services";
@ -15,10 +21,10 @@ let
allow_answers = ""; allow_answers = "";
} }
{ {
from = "lan-services"; from = "lan-home";
to = "lan-home"; to = "lan-devices";
allow_questions = ""; allow_questions = "(printer|ipp)";
allow_answers = "(nucnix|elisabeth)"; allow_answers = "";
} }
]; ];
}; };

43
patches/PR/370347.diff Normal file
View file

@ -0,0 +1,43 @@
diff --git a/nixos/modules/services/networking/networkd-dispatcher.nix b/nixos/modules/services/networking/networkd-dispatcher.nix
index 49d5cd545656a..5e307d81624ee 100644
--- a/nixos/modules/services/networking/networkd-dispatcher.nix
+++ b/nixos/modules/services/networking/networkd-dispatcher.nix
@@ -102,21 +102,23 @@ in
services.networkd-dispatcher.extraArgs =
let
- scriptDir = pkgs.symlinkJoin {
- name = "networkd-dispatcher-script-dir";
- paths = lib.mapAttrsToList (
- name: cfg:
- (map (
- state:
- pkgs.writeTextFile {
- inherit name;
- text = cfg.script;
- destination = "/${state}.d/${name}";
- executable = true;
- }
- ) cfg.onState)
- ) cfg.rules;
- };
+ scriptDir = pkgs.runCommand "networkd-dispatcher-script-dir" { } ''
+ mkdir $out
+ ${lib.concatStrings (
+ lib.mapAttrsToList (
+ name: cfg:
+ (lib.concatStrings (
+ map (state: ''
+ mkdir -p $out/${state}.d
+ ln -s ${
+ pkgs.writeShellApplication {
+ inherit name;
+ text = cfg.script;
+ }
+ }/bin/${name} $out/${state}.d/${name}'') cfg.onState
+ ))
+ ) cfg.rules
+ )}'';
in
[
"--verbose"