From 342c4787abd8425cce964b7994e1fd5213d4fd24 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 26 Jan 2025 17:59:58 +0100 Subject: [PATCH] feat: allow IGMP traffic and all ICMP traffic --- config/nftables.nix | 35 +++++++++++++++-------------------- hosts/ward/net.nix | 5 ----- 2 files changed, 15 insertions(+), 25 deletions(-) diff --git a/config/nftables.nix b/config/nftables.nix index ee3fd84..d736d37 100644 --- a/config/nftables.nix +++ b/config/nftables.nix @@ -15,6 +15,7 @@ iifname lo accept meta l4proto ipv6-icmp accept meta l4proto icmp accept + ip protocol igmp accept tcp dport ${toString (lib.head config.services.openssh.ports)} accept } chain forward { @@ -35,26 +36,6 @@ nnf-drop.enable = true; nnf-loopback.enable = true; nnf-ssh.enable = true; - nnf-icmp = { - enable = true; - ipv6Types = [ - "echo-request" - "destination-unreachable" - "packet-too-big" - "time-exceeded" - "parameter-problem" - "nd-router-advert" - "nd-neighbor-solicit" - "nd-neighbor-advert" - ]; - ipv4Types = [ - "echo-request" - "destination-unreachable" - "router-advertisement" - "time-exceeded" - "parameter-problem" - ]; - }; }; rules.untrusted-to-local = { @@ -68,6 +49,20 @@ allowedUDPPortRanges ; }; + + rules.icmp-and-igmp = { + after = [ + "ct" + "ssh" + ]; + from = "all"; + to = [ "local" ]; + extraLines = [ + "meta l4proto ipv6-icmp accept" + "meta l4proto icmp accept" + "ip protocol igmp accept" + ]; + }; }; }; } diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 12b5d75..aafc5c2 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -165,11 +165,6 @@ ); networking.nftables.firewall = { - snippets.nnf-icmp.ipv6Types = [ - "mld-listener-query" - "nd-router-solicit" - ]; - zones = { untrusted.interfaces = [ "wan" ];