diff options
author | tv <tv@krebsco.de> | 2016-06-30 00:52:35 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-06-30 01:08:01 +0200 |
commit | 716a2fc6e842ff051df6de1999b5b97780f2d2cd (patch) | |
tree | b2dd51a390b42f715e66dd806a4ebda41096aeee /tv/3modules/iptables.nix | |
parent | 20a9f5906144d8083300691ea588a9d2ef1a4f60 (diff) |
tv iptables: add input-*-accept-udp
Diffstat (limited to 'tv/3modules/iptables.nix')
-rw-r--r-- | tv/3modules/iptables.nix | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index c0e71f24d..4b1d1ef87 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -17,12 +17,22 @@ let default = "retiolum"; }; - input-internet-accept-new-tcp = mkOption { + input-internet-accept-tcp = mkOption { type = with types; listOf (either int str); default = []; }; - input-retiolum-accept-new-tcp = mkOption { + input-internet-accept-udp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-udp = mkOption { type = with types; listOf (either int str); default = []; }; @@ -83,8 +93,8 @@ let ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"; ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"; }."ip${toString iptables-version}tables"; - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT"; + accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT"; in pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' *nat @@ -112,13 +122,15 @@ let "-i lo -j ACCEPT" ] ++ optional (cfg.accept-echo-request == "internet") accept-echo-request - ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) + ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp)) + ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp)) ++ ["-i retiolum -j Retiolum"] )} ${formatTable cfg.extra.filter} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request - ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) + ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp)) + ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp)) ++ { ip4tables = [ "-p tcp -j REJECT --reject-with tcp-reset" |