add (very basic) set support in firewallgen

and add sets for lan/wan/dmz/guest interface names to default firewall rules
2025-02-03 20:46:22 +00:00 · 2025-02-03 20:46:22 +00:00 · 1d780de0f1
commit 1d780de0f1
parent 8cf602da91
3 changed files with 55 additions and 2 deletions
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
@ -3,6 +3,13 @@ let
  accept = expr : "${expr} accept";
  mcast-scope = 8;
  allow-incoming = false;
  ifname-set = family : name : ifnames : {
    kind = "set";
    inherit family name;
    type = "ifname";
    elements = ifnames;
  };
 in {
  bogons-ip6 = {
    type = "filter";
@ -241,4 +248,13 @@ in {
    ];
  };
  lan-set-ip = ifname-set "ip" "lan" [ "int" ];
  wan-set-ip = ifname-set "ip" "wan" [ "ppp0" ];
  dmz-set-ip = ifname-set "ip" "dmz" [ ];
  guest-set-ip = ifname-set "ip" "guest" [ ];
  lan-set-ip6 = ifname-set "ip6" "lan" [ "int" ];
  wan-set-ip6 = ifname-set "ip6" "wan" [ "ppp0" ];
  dmz-set-ip6 = ifname-set "ip6" "dmz" [ ];
  guest-set-ip6 = ifname-set "ip6" "guest" [ ];
 }
--- a/pkgs/firewallgen/default.nix
+++ b/pkgs/firewallgen/default.nix
@ -43,15 +43,33 @@ let
    ${concatStringsSep "\n" rules}
    }
  '';
  doset = { name, type, elements ? [], ... } : ''
    set ${name}  {
      type ${type}
      ${if elements != []
        then "elements = { ${concatStringsSep ", " elements } }"
        else ""
       }
    }
  '';
  dochainorset =
    { kind ? "chain", ... } @ params :
    {
      chain = dochain;
      set = doset;
    }.${kind} params;
  dotable = family : chains : ''
    table ${family} table-${family} {
-    ${concatStringsSep "\n" (map dochain chains)}
+    ${concatStringsSep "\n" (map dochainorset chains)}
    }
  '';
  categorise = chains :
    groupBy
      ({ family, ... } : family)
-      (mapAttrsToList (n : v : v // { name = n; }) chains);
+      (mapAttrsToList (n : v : { name = n; } // v ) chains);
 in writeScript name ''
 #!${nftables}/sbin/nft -f
--- a/pkgs/firewallgen/test-rules-min.nix
+++ b/pkgs/firewallgen/test-rules-min.nix
@ -121,4 +121,23 @@ let
  };
 in {
  inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
  lan-set-ip = {
    kind = "set";
    family = "ip";
    type = "ifname";
    elements = [
      "eth0" "eth1"
    ];
  };
  # honours timeout flags gc-interval size policy counter auto-merge
  lan-set-ip6 = {
    kind = "set";
    family = "ip6";
    type = "ifname";
    elements = [
      "eth0" "eth1"
    ];
  };
 }