feat: allow IGMP traffic and all ICMP traffic

2025-01-26 17:59:58 +01:00 · 2025-01-26 17:59:58 +01:00 · 342c4787ab
commit 342c4787ab
parent c39a285bc9
2 changed files with 15 additions and 25 deletions
--- a/config/nftables.nix
+++ b/config/nftables.nix
@ -15,6 +15,7 @@
          iifname lo accept
          meta l4proto ipv6-icmp accept
          meta l4proto icmp accept
+          ip protocol igmp accept
          tcp dport ${toString (lib.head config.services.openssh.ports)} accept
        }
        chain forward {
@ -35,26 +36,6 @@
        nnf-drop.enable = true;
        nnf-loopback.enable = true;
        nnf-ssh.enable = true;
-        nnf-icmp = {
-          enable = true;
-          ipv6Types = [
-            "echo-request"
-            "destination-unreachable"
-            "packet-too-big"
-            "time-exceeded"
-            "parameter-problem"
-            "nd-router-advert"
-            "nd-neighbor-solicit"
-            "nd-neighbor-advert"
-          ];
-          ipv4Types = [
-            "echo-request"
-            "destination-unreachable"
-            "router-advertisement"
-            "time-exceeded"
-            "parameter-problem"
-          ];
-        };
      };

      rules.untrusted-to-local = {
@ -68,6 +49,20 @@
          allowedUDPPortRanges
          ;
      };
+
+      rules.icmp-and-igmp = {
+        after = [
+          "ct"
+          "ssh"
+        ];
+        from = "all";
+        to = [ "local" ];
+        extraLines = [
+          "meta l4proto ipv6-icmp accept"
+          "meta l4proto icmp accept"
+          "ip protocol igmp accept"
+        ];
+      };
    };
  };
 }
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -165,11 +165,6 @@
    );

  networking.nftables.firewall = {
-    snippets.nnf-icmp.ipv6Types = [
-      "mld-listener-query"
-      "nd-router-solicit"
-    ];
-
    zones =
      {
        untrusted.interfaces = [ "wan" ];