...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-10-22 19:33:45 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-10-22 19:33:45 +0200
commit: ddcc8c65e30a9ca3b56e25466e749cb100b28510 (patch)
tree: 869c782c4e5874d4d353d3cd82af5b0e2dfe9a45 /hosts/vidhar
parent: 0b7bd91465487426041c777a40de3be9f7407058 (diff)
download: nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.gz
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.bz2
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.xz
nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.zip
4 files changed, 78 insertions, 40 deletions
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index ffa79ee1..3d9d4d83 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.
 $TTL 300
 @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
-  2022040802 ; serial
+  2022101601 ; serial
  300        ; refresh
  300        ; retry
  300        ; expire
@@ -16,6 +16,7 @@ sif		IN	AAAA	2a03:4000:52:ada:1:2::
 grafana.vidhar          IN      CNAME   vidhar.yggdrasil.
 prometheus.vidhar       IN      CNAME   vidhar.yggdrasil.
+nfsroot.vidhar          IN      CNAME   vidhar.lan.yggdrasil.
 vidhar.lan      IN      A       10.141.0.1
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index e69674f4..f19ea9cd 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,5 @@
 { pkgs, ... }:
 {
  imports = [ ./dsl.nix ./bifrost ./dhcp ];
@@ -69,5 +70,30 @@
        networkConfig.LinkLocalAddressing = "no";
      };
    };
+    services.nfs.server = {
+      enable = true;
+      createMountPoints = true;
+      statdPort = 4000;
+      lockdPort = 4001;
+      mountdPort = 4002;
+      extraNfsdConfig = ''
+        vers3=off
+      '';
+      exports = ''
+        /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0)
+        /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
+      '';
+    };
+    fileSystems = {
+      "/srv/nfs/nix-store" = {
+        device = "/nix/store";
+        options = [ "bind" ];
+      };
+    };
  };
 }
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index e14b15ac..dfaa4c9f 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -26,7 +26,7 @@ with lib;
            { name = "ipxe";
              test = "option[77].hex == 'iPXE'";
              next-server = "10.141.0.1";
-              boot-file-name = "installer-x86_64-linux/netboot.ipxe";
+              boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe";
              only-if-required = true;
            }
            { name = "uefi-64";
@@ -229,6 +229,40 @@ with lib;
      sopsFile = ./knot-tsig.json.frag;
    };
+    services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = {
+      addSSL = false;
+      forceSSL = false;
+      locations."/" = {
+        extraConfig = ''
+          autoindex on;
+        '';
+        root = pkgs.symlinkJoin {
+          name = "nfsroot.vidhar.yggdrasil";
+          paths =
+            (map (system:
+               let
+                 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
+                   modules = [
+                     ({ ... }: {
+                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration";
+                     })
+                   ];
+                 }).config.system.build;
+               in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
+                 mkdir -p $out/installer-${system}
+                 install -m 0444 -t $out/installer-${system} \
+                   ${installerBuild.initialRamdisk}/initrd \
+                   ${installerBuild.kernel}/bzImage \
+                   ${installerBuild.netbootIpxeScript}/netboot.ipxe \
+                   ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
+               '')
+              ) ["x86_64-linux"]
+            );
+        };
+      };
+    };
    systemd.services."pxe-atftpd" = {
      description = "TFTP Server for PXE Booting";
      after = [ "network.target" ];
@@ -238,44 +272,16 @@ with lib;
          additionalTargets = {
            "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
          };
+          additionalOptions = [
+            "NSLOOKUP_CMD"
+          ];
        };
        tftpRoot = pkgs.runCommandLocal "netboot" {} ''
          mkdir -p $out
          install -m 0444 -t $out \
            ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
-          ${concatMapStringsSep "\n" (system:
-            let
-              installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
-                modules = [
-                  ({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; })
-                ];
-              }).config.system.build;
-            in ''
-              mkdir -p $out/installer-${system}
-              install -m 0444 -t $out/installer-${system} \
-                ${installerBuild.initialRamdisk}/initrd \
-                ${installerBuild.kernel}/bzImage \
-                ${installerBuild.netbootIpxeScript}/netboot.ipxe
-            ''
-          ) ["x86_64-linux"]}
        '';
      in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
    };
-    services.nfs.server = {
-      enable = true;
-      createMountPoints = true;
-      exports = ''
-        /export/nix-root 10.141.0.0/24(ro)
-      '';
-    };
-    fileSystems = {
-      "/export/nix-root" = {
-        device = "/nix/store";
-        options = [ "bind" ];
-      };
-    };
  };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index c0da0fa6..473f8a20 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -78,6 +78,7 @@ table inet filter {
  counter ssh-rx {}
  counter mosh-rx {}
  counter dns-rx {}
+  counter nfs-rx {}
  counter wg-rx {}
  counter yggdrasil-gre-rx {}
  counter ipv6-pd-rx {}
@@ -104,6 +105,7 @@ table inet filter {
  counter ssh-tx {}
  counter mosh-tx {}
  counter dns-tx {}
+  counter nfs-tx {}
  counter wg-tx {}
  counter yggdrasil-gre-tx {}
  counter ipv6-pd-tx {}
@@ -152,7 +154,7 @@ table inet filter {
    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    
    iifname lo counter name rx-lo accept
    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -165,8 +167,9 @@ table inet filter {
    iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
    iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
-    iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
-    iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept
+    iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
    iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
    iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
@@ -182,7 +185,8 @@ table inet filter {
    iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
    iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
-    
+    iifname lan tcp dport 80 counter name http-rx accept
    iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
    ct state {established, related} counter name established-rx accept
@@ -209,8 +213,9 @@ table inet filter {
    tcp sport 22 counter name ssh-tx
    udp sport 60000-61000 counter name mosh-tx
-    tcp sport 53 counter name dns-tx
+    meta l4proto {tcp, udp} th sport 53 counter name dns-tx
-    udp sport 53 counter name dns-tx
+    tcp sport 2049 counter name nfs-tx
    meta protocol ip udp sport 51820 counter name wg-tx
    meta protocol ip6 udp sport {51821,51822} counter name wg-tx
@@ -225,7 +230,7 @@ table inet filter {
    udp sport { 137, 138, 3702 } counter name samba-tx accept
    tcp sport { 445, 139, 5357 } counter name samba-tx accept
-    tcp sport {80,443} counter name http-tx accept
+    tcp sport { 80, 443 } counter name http-tx accept
    udp sport 69 counter name tftp-tx accept
    udp dport 69 counter name tftp-tx accept
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-10-22 19:33:45 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-10-22 19:33:45 +0200
commit	ddcc8c65e30a9ca3b56e25466e749cb100b28510 (patch)
tree	869c782c4e5874d4d353d3cd82af5b0e2dfe9a45 /hosts/vidhar
parent	0b7bd91465487426041c777a40de3be9f7407058 (diff)
download	nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.gz nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.bz2 nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.tar.xz nixos-ddcc8c65e30a9ca3b56e25466e749cb100b28510.zip

diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index ffa79ee1..3d9d4d83 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.	1	$ORIGIN yggdrasil.
2	$TTL 300	2	$TTL 300
3	@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (	3	@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
4	2022040802 ; serial	4	2022101601 ; serial
5	300 ; refresh	5	300 ; refresh
6	300 ; retry	6	300 ; retry
7	300 ; expire	7	300 ; expire
@@ -16,6 +16,7 @@ sif IN AAAA 2a03:4000:52:ada:1:2::
16		16
17	grafana.vidhar IN CNAME vidhar.yggdrasil.	17	grafana.vidhar IN CNAME vidhar.yggdrasil.
18	prometheus.vidhar IN CNAME vidhar.yggdrasil.	18	prometheus.vidhar IN CNAME vidhar.yggdrasil.
		19	nfsroot.vidhar IN CNAME vidhar.lan.yggdrasil.
19		20
20		21
21	vidhar.lan IN A 10.141.0.1	22	vidhar.lan IN A 10.141.0.1


diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e69674f4..f19ea9cd 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,5 @@
1	{ pkgs, ... }:	1	{ pkgs, ... }:
		2
2	{	3	{
3	imports = [ ./dsl.nix ./bifrost ./dhcp ];	4	imports = [ ./dsl.nix ./bifrost ./dhcp ];
4		5
@@ -69,5 +70,30 @@
69	networkConfig.LinkLocalAddressing = "no";	70	networkConfig.LinkLocalAddressing = "no";
70	};	71	};
71	};	72	};
		73
		74	services.nfs.server = {
		75	enable = true;
		76	createMountPoints = true;
		77
		78	statdPort = 4000;
		79	lockdPort = 4001;
		80	mountdPort = 4002;
		81
		82	extraNfsdConfig = ''
		83	vers3=off
		84	'';
		85
		86	exports = ''
		87	/srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0)
		88	/srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
		89	'';
		90	};
		91
		92	fileSystems = {
		93	"/srv/nfs/nix-store" = {
		94	device = "/nix/store";
		95	options = [ "bind" ];
		96	};
		97	};
72	};	98	};
73	}	99	}


diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index e14b15ac..dfaa4c9f 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix
@@ -26,7 +26,7 @@ with lib;
26	{ name = "ipxe";	26	{ name = "ipxe";
27	test = "option[77].hex == 'iPXE'";	27	test = "option[77].hex == 'iPXE'";
28	next-server = "10.141.0.1";	28	next-server = "10.141.0.1";
29	boot-file-name = "installer-x86_64-linux/netboot.ipxe";	29	boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe";
30	only-if-required = true;	30	only-if-required = true;
31	}	31	}
32	{ name = "uefi-64";	32	{ name = "uefi-64";
@@ -229,6 +229,40 @@ with lib;
229	sopsFile = ./knot-tsig.json.frag;	229	sopsFile = ./knot-tsig.json.frag;
230	};	230	};
231		231
		232	services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = {
		233	addSSL = false;
		234	forceSSL = false;
		235	locations."/" = {
		236	extraConfig = ''
		237	autoindex on;
		238	'';
		239	root = pkgs.symlinkJoin {
		240	name = "nfsroot.vidhar.yggdrasil";
		241	paths =
		242	(map (system:
		243	let
		244	installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
		245	modules = [
		246	({ ... }: {
		247	config.nfsroot.storeDevice = "10.141.0.1:nix-store";
		248	config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration";
		249	})
		250	];
		251	}).config.system.build;
		252	in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
		253	mkdir -p $out/installer-${system}
		254	install -m 0444 -t $out/installer-${system} \
		255	${installerBuild.initialRamdisk}/initrd \
		256	${installerBuild.kernel}/bzImage \
		257	${installerBuild.netbootIpxeScript}/netboot.ipxe \
		258	${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
		259	'')
		260	) ["x86_64-linux"]
		261	);
		262	};
		263	};
		264	};
		265
232	systemd.services."pxe-atftpd" = {	266	systemd.services."pxe-atftpd" = {
233	description = "TFTP Server for PXE Booting";	267	description = "TFTP Server for PXE Booting";
234	after = [ "network.target" ];	268	after = [ "network.target" ];
@@ -238,44 +272,16 @@ with lib;
238	additionalTargets = {	272	additionalTargets = {
239	"bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";	273	"bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
240	};	274	};
		275	additionalOptions = [
		276	"NSLOOKUP_CMD"
		277	];
241	};	278	};
242	tftpRoot = pkgs.runCommandLocal "netboot" {} ''	279	tftpRoot = pkgs.runCommandLocal "netboot" {} ''
243	mkdir -p $out	280	mkdir -p $out
244	install -m 0444 -t $out \	281	install -m 0444 -t $out \
245	${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe	282	${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
246
247	${concatMapStringsSep "\n" (system:
248	let
249	installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
250	modules = [
251	({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; })
252	];
253	}).config.system.build;
254	in ''
255	mkdir -p $out/installer-${system}
256	install -m 0444 -t $out/installer-${system} \
257	${installerBuild.initialRamdisk}/initrd \
258	${installerBuild.kernel}/bzImage \
259	${installerBuild.netbootIpxeScript}/netboot.ipxe
260	''
261	) ["x86_64-linux"]}
262	'';	283	'';
263	in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";	284	in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
264	};	285	};
265
266	services.nfs.server = {
267	enable = true;
268	createMountPoints = true;
269	exports = ''
270	/export/nix-root 10.141.0.0/24(ro)
271	'';
272	};
273
274	fileSystems = {
275	"/export/nix-root" = {
276	device = "/nix/store";
277	options = [ "bind" ];
278	};
279	};
280	};	286	};
281	}	287	}


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index c0da0fa6..473f8a20 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -78,6 +78,7 @@ table inet filter {
78	counter ssh-rx {}	78	counter ssh-rx {}
79	counter mosh-rx {}	79	counter mosh-rx {}
80	counter dns-rx {}	80	counter dns-rx {}
		81	counter nfs-rx {}
81	counter wg-rx {}	82	counter wg-rx {}
82	counter yggdrasil-gre-rx {}	83	counter yggdrasil-gre-rx {}
83	counter ipv6-pd-rx {}	84	counter ipv6-pd-rx {}
@@ -104,6 +105,7 @@ table inet filter {
104	counter ssh-tx {}	105	counter ssh-tx {}
105	counter mosh-tx {}	106	counter mosh-tx {}
106	counter dns-tx {}	107	counter dns-tx {}
		108	counter nfs-tx {}
107	counter wg-tx {}	109	counter wg-tx {}
108	counter yggdrasil-gre-tx {}	110	counter yggdrasil-gre-tx {}
109	counter ipv6-pd-tx {}	111	counter ipv6-pd-tx {}
@@ -152,7 +154,7 @@ table inet filter {
152		154
153		155
154	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop	156	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
155		157
156		158
157	iifname lo counter name rx-lo accept	159	iifname lo counter name rx-lo accept
158	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject	160	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -165,8 +167,9 @@ table inet filter {
165	iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept	167	iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
166	iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept	168	iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
167		169
168	iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept	170	iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
169	iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept	171
		172	iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
170		173
171	iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept	174	iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
172	iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept	175	iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
@@ -182,7 +185,8 @@ table inet filter {
182	iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept	185	iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
183		186
184	iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept	187	iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
185		188	iifname lan tcp dport 80 counter name http-rx accept
		189
186	iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept	190	iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
187		191
188	ct state {established, related} counter name established-rx accept	192	ct state {established, related} counter name established-rx accept
@@ -209,8 +213,9 @@ table inet filter {
209	tcp sport 22 counter name ssh-tx	213	tcp sport 22 counter name ssh-tx
210	udp sport 60000-61000 counter name mosh-tx	214	udp sport 60000-61000 counter name mosh-tx
211		215
212	tcp sport 53 counter name dns-tx	216	meta l4proto {tcp, udp} th sport 53 counter name dns-tx
213	udp sport 53 counter name dns-tx	217
		218	tcp sport 2049 counter name nfs-tx
214		219
215	meta protocol ip udp sport 51820 counter name wg-tx	220	meta protocol ip udp sport 51820 counter name wg-tx
216	meta protocol ip6 udp sport {51821,51822} counter name wg-tx	221	meta protocol ip6 udp sport {51821,51822} counter name wg-tx
@@ -225,7 +230,7 @@ table inet filter {
225	udp sport { 137, 138, 3702 } counter name samba-tx accept	230	udp sport { 137, 138, 3702 } counter name samba-tx accept
226	tcp sport { 445, 139, 5357 } counter name samba-tx accept	231	tcp sport { 445, 139, 5357 } counter name samba-tx accept
227		232
228	tcp sport {80,443} counter name http-tx accept	233	tcp sport { 80, 443 } counter name http-tx accept
229		234
230	udp sport 69 counter name tftp-tx accept	235	udp sport 69 counter name tftp-tx accept
231	udp dport 69 counter name tftp-tx accept	236	udp dport 69 counter name tftp-tx accept