summaryrefslogtreecommitdiff
path: root/hosts/sif
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-08-08 21:48:11 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2023-08-08 21:48:11 +0200
commit6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a (patch)
tree4497d93ad2d46c04e311bf87755fbf6c42b56c7f /hosts/sif
parentdf4f7efea1570050ba3f1828e41419304606e212 (diff)
downloadnixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar
nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar.gz
nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar.bz2
nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar.xz
nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.zip
...
Diffstat (limited to 'hosts/sif')
-rw-r--r--hosts/sif/default.nix4
-rw-r--r--hosts/sif/ruleset.nft10
2 files changed, 12 insertions, 2 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index c55cc7a8..bde5cdf8 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -288,8 +288,8 @@ in {
288 bogus-priv = true; 288 bogus-priv = true;
289 no-hosts = true; 289 no-hosts = true;
290 listen-address = [ "192.168.122.1" "fd45:febc:b028::" ]; 290 listen-address = [ "192.168.122.1" "fd45:febc:b028::" ];
291 interface = "virbr0"; 291 # interface = "virbr0";
292 except-interface = "lo"; 292 # except-interface = "lo";
293 bind-interfaces = true; 293 bind-interfaces = true;
294 domain = "libvirt,192.168.122.0/24"; 294 domain = "libvirt,192.168.122.0/24";
295 dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ]; 295 dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ];
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index e2ac45c6..33c17253 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -90,6 +90,7 @@ table inet filter {
90 counter libvirt-dns {} 90 counter libvirt-dns {}
91 91
92 92
93 chain forward_tmp {}
93 chain forward { 94 chain forward {
94 type filter hook forward priority filter 95 type filter hook forward priority filter
95 policy drop 96 policy drop
@@ -100,6 +101,8 @@ table inet filter {
100 101
101 iifname lo counter name fw-lo accept 102 iifname lo counter name fw-lo accept
102 103
104 jump forward_tmp
105
103 iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept 106 iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
104 oifname virbr0 ct state {established, related} counter name fw-libvirt accept 107 oifname virbr0 ct state {established, related} counter name fw-libvirt accept
105 108
@@ -110,6 +113,7 @@ table inet filter {
110 ct state new counter name reject-icmp-fw reject 113 ct state new counter name reject-icmp-fw reject
111 } 114 }
112 115
116 chain input_tmp {}
113 chain input { 117 chain input {
114 type filter hook input priority filter 118 type filter hook input priority filter
115 policy drop 119 policy drop
@@ -125,6 +129,8 @@ table inet filter {
125 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop 129 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
126 meta l4proto $icmp_protos counter name icmp-rx accept 130 meta l4proto $icmp_protos counter name icmp-rx accept
127 131
132 jump input_tmp
133
128 tcp dport 22 counter name ssh-rx accept 134 tcp dport 22 counter name ssh-rx accept
129 udp dport 60000-61000 counter name mosh-rx accept 135 udp dport 60000-61000 counter name mosh-rx accept
130 136
@@ -180,11 +186,13 @@ table inet filter {
180table ip nat { 186table ip nat {
181 counter libvirt-nat {} 187 counter libvirt-nat {}
182 188
189 chain postrouting_tmp {}
183 chain postrouting { 190 chain postrouting {
184 type nat hook postrouting priority srcnat 191 type nat hook postrouting priority srcnat
185 policy accept 192 policy accept
186 193
187 iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade 194 iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
195 jump postrouting_tmp
188 } 196 }
189} 197}
190 198
@@ -202,10 +210,12 @@ table ip6 nat {
202table ip mss_clamp { 210table ip mss_clamp {
203 counter libvirt-mss-clamp {} 211 counter libvirt-mss-clamp {}
204 212
213 chain postrouting_tmp {}
205 chain postrouting { 214 chain postrouting {
206 type filter hook postrouting priority mangle 215 type filter hook postrouting priority mangle
207 policy accept 216 policy accept
208 217
209 iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu 218 iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
219 jump postrouting_tmp
210 } 220 }
211} 221}