feat(nftables): update to new nftables firewall branch

2025-10-11 07:10:39 +02:00 · 2023-10-15 14:10:06 +02:00 · 2023-10-15 14:10:06 +02:00 · 1f9a28c3db
commit 1f9a28c3db
parent 051fdc24cb
11 changed files with 48 additions and 100 deletions
--- a/hosts/kroma/net.nix
+++ b/hosts/kroma/net.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  networking = {
    inherit (config.repo.secrets.local.networking) hostId;
    wireless.iwd.enable = true;
@ -37,8 +33,6 @@
  };

  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      untrusted.interfaces = ["lan1" "wlan1"];
-    };
+    zones.untrusted.interfaces = ["lan1" "wlan1"];
  };
 }
--- a/hosts/nom/net.nix
+++ b/hosts/nom/net.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  networking = {
    inherit (config.repo.secrets.local.networking) hostId;
    wireless.iwd.enable = true;
@ -37,8 +33,6 @@
  };

  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      untrusted.interfaces = ["lan1" "wlan1"];
-    };
+    zones.untrusted.interfaces = ["lan1" "wlan1"];
  };
 }
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  networking.hostId = config.repo.secrets.local.networking.hostId;
  networking.domain = config.repo.secrets.local.personalDomain;

@ -35,19 +31,16 @@
    };
  };

-  # TODO mkForce nftables
  networking.nftables.firewall = {
-    zones = lib.mkForce {
+    zones = {
      untrusted.interfaces = ["wan"];
      proxy-sentinel.interfaces = ["proxy-sentinel"];
    };
-    rules = lib.mkForce {
-      # Allow accessing nginx through the proxy
-      proxy-sentinel-to-local = {
-        from = ["proxy-sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [80 443];
-      };
+    # Allow accessing nginx through the proxy
+    rules.proxy-sentinel-to-local = {
+      from = ["proxy-sentinel"];
+      to = ["local"];
+      allowedTCPPorts = [80 443];
    };
  };

--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -95,19 +95,15 @@ in {
    };
  };

-  # TODO mkForce nftables
  networking.nftables.firewall = {
-    zones = lib.mkForce {
+    snippets.nnf-icmp.ipv6Types = ["mld-listener-query" "nd-router-solicit"];
+
+    zones = {
      untrusted.interfaces = ["wan"];
      lan.interfaces = ["lan-self"];
    };

-    rules = lib.mkForce {
-      icmp = {
-        # accept ipv6 router solicit and multicast listener discovery query
-        extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
-      };
-
+    rules = {
      masquerade = {
        from = ["lan"];
        to = ["untrusted"];
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@ -46,10 +46,7 @@ in {
    };
  };

-  # TODO mkForce nftables
  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      untrusted.interfaces = ["lan1"];
-    };
+    zones.untrusted.interfaces = ["lan1"];
  };
 }