From 0365d3e1efc936ead80fb768312bb005780d2940 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 9 Oct 2021 11:23:37 +0200
Subject: yggdrasil-wg: ...

---
 modules/yggdrasil-wg/default.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 7502b3c7..e81fee84 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -46,6 +46,7 @@ let
   inNetwork = pathExists privateKeyPath && pathExists publicKeyPath;
   hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links;
   hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes;
+  isRouter = inNetwork && any ({via, ...}: via == hostName) routes;
   linkToPeer = opts@{from, to, ...}:
     let
       other = if from == hostName then to else from;
@@ -90,8 +91,17 @@ in {
 
     networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));
 
-    boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) {
-      "net.ipv6.conf.yggdrasil.forwarding" = 1;
+    networking.firewall = mkIf isRouter {
+      extraCommands = ''
+        iptables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
+        iptables -A FORWARD -j nixos-fw-log-refuse
+        sysctl net.ipv6.conf.all.forwarding=1
+      '';
+      extraStopCommands = ''
+        sysctl net.ipv6.conf.all.forwarding=0
+        iptables -D FORWARD -j nixos-fw-log-refuse
+        iptables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
+      '';
     };
   };
 }
-- 
cgit v1.2.3