From 0365d3e1efc936ead80fb768312bb005780d2940 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 9 Oct 2021 11:23:37 +0200 Subject: yggdrasil-wg: ... --- modules/yggdrasil-wg/default.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'modules/yggdrasil-wg/default.nix') diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 7502b3c7..e81fee84 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -46,6 +46,7 @@ let inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; + isRouter = inNetwork && any ({via, ...}: via == hostName) routes; linkToPeer = opts@{from, to, ...}: let other = if from == hostName then to else from; @@ -90,8 +91,17 @@ in { networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); - boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) { - "net.ipv6.conf.yggdrasil.forwarding" = 1; + networking.firewall = mkIf isRouter { + extraCommands = '' + iptables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept + iptables -A FORWARD -j nixos-fw-log-refuse + sysctl net.ipv6.conf.all.forwarding=1 + ''; + extraStopCommands = '' + sysctl net.ipv6.conf.all.forwarding=0 + iptables -D FORWARD -j nixos-fw-log-refuse + iptables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept + ''; }; }; } -- cgit v1.2.3