dan/liminix
1
0
Fork 5
Code

Compare commits

base: dan:3f889c7119145518e43b2f57bb1b9d7b4fdbd01a
Branches Tags
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
..
compare: dan:c363d55be5fd0b22576370a96dfff8457cceca07
Branches Tags
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network

7 Commits
3f889c7119 ... c363d55be5

Author SHA1 Message Date
Daniel Barlow
c363d55be5 delete unused function 2025-02-10 20:57:23 +00:00
Daniel Barlow
40d257ef1b firewall: update zones with interface names as they appear 2025-02-10 00:42:27 +00:00
Daniel Barlow
ac6d5618a6 export anoia.svc:fileno so it can be used with event loops 2025-02-10 00:41:01 +00:00
Daniel Barlow
21f2cc6dad WIP add zones to firewall module 
- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets
 2025-02-06 12:08:12 +00:00
Daniel Barlow
0bb075ba6b thing 2025-02-06 09:22:41 +00:00
Daniel Barlow
514a01098a add (very basic) set support in firewallgen 
and add sets for lan/wan/dmz/guest interface names to default
firewall rules
 2025-02-06 09:22:41 +00:00
Daniel Barlow
f65cd0677e think 2025-02-06 09:22:41 +00:00
4 changed files with 8 additions and 15 deletions
Show Stats Expand all files Collapse all files

12
THOUGHTS.txt
View File

@ -7010,13 +7010,5 @@ which interface services are in which zones
we'd have to ensure that the interface services did not end up as we'd have to ensure that the interface services did not end up as
dependencies of the firewall dependencies of the firewall
then the firewall could then the firewall could watch each interface service for the ifname
output and add it to the right zone
- create the sets
- watch each interface service for the ifname output and add it to the right zone
Sun Feb 9 21:33:57 GMT 2025
nft update set @lan
echo 'flush set table-ip lan; add element table-ip lan { eth0,lo }' | nft -f -

4
examples/rotuer.nix
View File

@ -69,6 +69,10 @@ in rec {
firewall = { firewall = {
enable = true; enable = true;
rules = secrets.firewallRules; rules = secrets.firewallRules;
zones = {
lan = [ config.services.int ];
wan = [ config.services.wan ] ;
};
}; };
wireless.networks = { wireless.networks = {
# EDIT: if you have more or fewer wireless radios, here is where # EDIT: if you have more or fewer wireless radios, here is where

3
modules/firewall/ifwatch.fnl
View File

@ -48,7 +48,8 @@
(.. (..
"flush set ip table-ip " zone "; \n" "flush set ip table-ip " zone "; \n"
"flush set ip6 table-ip6 " zone "; \n" "flush set ip6 table-ip6 " zone "; \n"
))) )
(fn run [] (fn run []
(while true (while true

4
modules/profiles/gateway.nix
View File

@ -50,10 +50,6 @@ in {
rules = mkOption { type = types.attrsOf types.attrs; }; rules = mkOption { type = types.attrsOf types.attrs; };
zones = mkOption { zones = mkOption {
type = types.attrsOf (types.listOf liminix.lib.types.service); type = types.attrsOf (types.listOf liminix.lib.types.service);
default = {
lan = [ config.services.int ];
wan = [ config.services.wan ];
};
}; };
}; };