fix: ajust firewall rule names and wireguard link name to match

2025-10-11 07:10:39 +02:00 · 2023-05-20 19:35:17 +02:00 · 2023-05-20 19:35:17 +02:00 · 0221a24225
commit 0221a24225
parent 3862bd6b14
3 changed files with 31 additions and 7 deletions
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@ -165,7 +165,7 @@
        networking.nftables.firewall = {
          zones = mkForce {
            "${vmCfg.networking.mainLinkName}".interfaces = [vmCfg.networking.mainLinkName];
-            "local-vms".interfaces = ["wg-local-vms"];
+            local-vms.interfaces = ["local-vms"];
          };

          rules = mkForce {
@ -175,7 +175,7 @@
            };

            local-vms-to-local = {
-              from = ["wg-local-vms"];
+              from = ["local-vms"];
              to = ["local"];
            };
          };
@ -193,6 +193,7 @@
            via = nodeName;
            keepalive = false;
          };
+          linkName = "local-vms";
          ipv4 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv4;
          ipv6 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv6;
        };
@ -401,9 +402,25 @@ in {
          inherit (cfg.networking) host;
          inherit (cfg.networking.wireguard) openFirewallRules port;
        };
+        linkName = "local-vms";
        ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4;
        ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6;
      };
+
+      # Create a firewall zone for the secure vm traffic
+      # TODO mkForce nftables
+      networking.nftables.firewall = {
+        zones = mkForce {
+          local-vms.interfaces = ["local-vms"];
+        };
+
+        rules = mkForce {
+          local-vms-to-local = {
+            from = ["local-vms"];
+            to = ["local"];
+          };
+        };
+      };
    }
    // extraLib.mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
  );
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -87,11 +87,12 @@
    # Adds context information to the assertions for this network
    assertionPrefix = "Wireguard network '${wgName}' on '${nodeName}'";

-    # Calculates which traffic should be routed to a given server node
+    # Calculates the allowed ips for another server from our perspective.
    # Usually we just want to allow other peers to route traffic
    # for our "children" through us, additional to traffic to us of course.
    # If a server exposes additional network access (global, lan, ...),
-    # these can be added aswell. TODO (do that)
+    # these can be added aswell.
+    # TODO (do that)
    serverAllowedIPs = serverNode: let
      snCfg = wgCfgOf serverNode;
    in
@ -160,7 +161,7 @@
    systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = {
      netdevConfig = {
        Kind = "wireguard";
-        Name = "${wgName}";
+        Name = wgCfg.linkName;
        Description = "Wireguard network ${wgName}";
      };
      wireguardConfig =
@ -228,7 +229,7 @@
    };

    systemd.network.networks."${toString wgCfg.priority}-${wgName}" = {
-      matchConfig.Name = wgName;
+      matchConfig.Name = wgCfg.linkName;
      address = map toNetworkAddr wgCfg.addresses;
    };
  };
@ -315,6 +316,12 @@ in {
          description = mdDoc "The order priority used when creating systemd netdev and network files.";
        };

+        linkName = mkOption {
+          default = "wg-${name}";
+          type = types.str;
+          description = mdDoc "The name for the created network interface.";
+        };
+
        ipv4 = mkOption {
          type = net.types.ipv4;
          description = mdDoc "The ipv4 address for this machine.";