feat(nftables): update to new nftables firewall branch

2023-10-15 14:10:06 +02:00 · 2023-10-15 14:10:06 +02:00 · 1f9a28c3db
commit 1f9a28c3db
parent 051fdc24cb
11 changed files with 48 additions and 100 deletions
--- a/flake.lock
+++ b/flake.lock
@ -845,15 +845,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1695065444,
-        "narHash": "sha256-c39mzyE1Z95bOjNfcCpENdQUn8lgTQFXNDeDguZnKs4=",
+        "lastModified": 1694993757,
+        "narHash": "sha256-aXjkz/3rSuJ78Ry0ekzcTrdwvdgJwFyblOSL/PdgbUo=",
        "owner": "thelegy",
        "repo": "nixos-nftables-firewall",
-        "rev": "f1d43094940379f8aa3b7ef750b48db48b622584",
+        "rev": "0680e272f389a8101f87dd82be0a8132c8eabddf",
        "type": "github"
      },
      "original": {
        "owner": "thelegy",
+        "ref": "opt-in-rules",
        "repo": "nixos-nftables-firewall",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -56,7 +56,7 @@
    };

    nixos-nftables-firewall = {
-      url = "github:thelegy/nixos-nftables-firewall";
+      url = "github:thelegy/nixos-nftables-firewall/opt-in-rules";
      inputs.nixpkgs.follows = "nixpkgs";
    };

--- a/hosts/kroma/net.nix
+++ b/hosts/kroma/net.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  networking = {
    inherit (config.repo.secrets.local.networking) hostId;
    wireless.iwd.enable = true;
@ -37,8 +33,6 @@
  };

  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      untrusted.interfaces = ["lan1" "wlan1"];
-    };
+    zones.untrusted.interfaces = ["lan1" "wlan1"];
  };
 }
--- a/hosts/nom/net.nix
+++ b/hosts/nom/net.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  networking = {
    inherit (config.repo.secrets.local.networking) hostId;
    wireless.iwd.enable = true;
@ -37,8 +33,6 @@
  };

  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      untrusted.interfaces = ["lan1" "wlan1"];
-    };
+    zones.untrusted.interfaces = ["lan1" "wlan1"];
  };
 }
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  networking.hostId = config.repo.secrets.local.networking.hostId;
  networking.domain = config.repo.secrets.local.personalDomain;

@ -35,21 +31,18 @@
    };
  };

-  # TODO mkForce nftables
  networking.nftables.firewall = {
-    zones = lib.mkForce {
+    zones = {
      untrusted.interfaces = ["wan"];
      proxy-sentinel.interfaces = ["proxy-sentinel"];
    };
-    rules = lib.mkForce {
    # Allow accessing nginx through the proxy
-      proxy-sentinel-to-local = {
+    rules.proxy-sentinel-to-local = {
      from = ["proxy-sentinel"];
      to = ["local"];
      allowedTCPPorts = [80 443];
    };
  };
-  };

  meta.wireguard.proxy-sentinel.server = {
    host = config.networking.fqdn;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -95,19 +95,15 @@ in {
    };
  };

-  # TODO mkForce nftables
  networking.nftables.firewall = {
-    zones = lib.mkForce {
+    snippets.nnf-icmp.ipv6Types = ["mld-listener-query" "nd-router-solicit"];
+
+    zones = {
      untrusted.interfaces = ["wan"];
      lan.interfaces = ["lan-self"];
    };

-    rules = lib.mkForce {
-      icmp = {
-        # accept ipv6 router solicit and multicast listener discovery query
-        extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
-      };
-
+    rules = {
      masquerade = {
        from = ["lan"];
        to = ["untrusted"];
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@ -46,10 +46,7 @@ in {
    };
  };

-  # TODO mkForce nftables
  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      untrusted.interfaces = ["lan1"];
-    };
+    zones.untrusted.interfaces = ["lan1"];
  };
 }
--- a/modules/config/nftables.nix
+++ b/modules/config/nftables.nix
@ -27,34 +27,20 @@

    firewall = {
      enable = true;
-
-      # TODO mkForce nftables
-      zones = lib.mkForce {
-        local.localZone = true;
+      localZoneName = "local";
+      snippets = {
+        nnf-conntrack.enable = true;
+        nnf-drop.enable = true;
+        nnf-loopback.enable = true;
+        nnf-ssh.enable = true;
+        nnf-icmp = {
+          enable = true;
+          ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
+          ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
+        };
      };

-      rules = lib.mkForce {
-        icmp = {
-          early = true;
-          after = ["ct"];
-          from = "all";
-          to = ["local"];
-          extraLines = [
-            "ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept"
-            "ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept"
-            #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6)
-          ];
-        };
-
-        ssh = {
-          early = true;
-          after = ["ct"];
-          from = "all";
-          to = ["local"];
-          allowedTCPPorts = config.services.openssh.ports;
-        };
-
-        untrusted-to-local = {
+      rules.untrusted-to-local = {
        from = ["untrusted"];
        to = ["local"];

@ -66,5 +52,4 @@
      };
    };
  };
-  };
 }
--- a/modules/config/resolved.nix
+++ b/modules/config/resolved.nix
@ -60,17 +60,11 @@
    );
  in
    lib.mkIf (mdnsInterfaces != []) {
-      # TODO mkForce nftables
-      zones = lib.mkForce {
-        mdns.interfaces = mdnsInterfaces;
-      };
-
-      rules = lib.mkForce {
-        mdns-to-local = {
+      zones.mdns.interfaces = mdnsInterfaces;
+      rules.mdns-to-local = {
        from = ["mdns"];
        to = ["local"];
        allowedUDPPorts = [5353];
      };
    };
-    };
 }
--- a/modules/meta/microvms.nix
+++ b/modules/meta/microvms.nix
@ -190,11 +190,8 @@
            };
          };

-        # TODO mkForce nftables
        networking.nftables.firewall = {
-          zones = mkForce {
-            untrusted.interfaces = [vmCfg.networking.mainLinkName];
-          };
+          zones.untrusted.interfaces = [vmCfg.networking.mainLinkName];
        };

        meta.wireguard = mkIf vmCfg.localWireguard {
--- a/modules/meta/wireguard.nix
+++ b/modules/meta/wireguard.nix
@ -20,7 +20,6 @@
    mapAttrsToList
    mdDoc
    mergeToplevelConfigs
-    mkForce
    mkIf
    mkOption
    net
@ -134,11 +133,9 @@
      [wgCfg.server.port];

    # Open the port in the given nftables rule if specified
-    # TODO mkForce nftables
-    networking.nftables.firewall.rules = mkForce (
+    networking.nftables.firewall.rules =
      optionalAttrs (isServer && wgCfg.server.openFirewallRules != [])
-      (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}))
-    );
+      (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}));

    age.secrets =
      concatAttrs (map