diff options
author | tv <tv@krebsco.de> | 2016-02-07 03:09:14 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-02-07 03:09:14 +0100 |
commit | 01a0f8a7ea7ed86d10bde3d9d4e42ac97e6359b0 (patch) | |
tree | 4a2e040621e13a87456046bbddec25ac9a76520c /tv/3modules | |
parent | 2ac82761cac283ccd7bce2aa5597c8bb44395ace (diff) |
tv: accept internet echo requests
Diffstat (limited to 'tv/3modules')
-rw-r--r-- | tv/3modules/iptables.nix | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index cbf49f5..9d5b5d0 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -13,6 +13,11 @@ let api = { enable = mkEnableOption "tv.iptables"; + accept-echo-request = mkOption { + type = with types; nullOr (enum ["internet" "retiolum"]); + default = "retiolum"; + }; + input-internet-accept-new-tcp = mkOption { type = with types; listOf (either int str); default = []; @@ -49,10 +54,14 @@ let }; - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; - - rules = iptables-version: + rules = iptables-version: let + accept-echo-request = { + ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"; + ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"; + }."ip${toString iptables-version}tables"; + accept-new-tcp = port: + "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + in pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' *nat :PREROUTING ACCEPT [0:0] @@ -76,18 +85,12 @@ let "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "-i lo -j ACCEPT" ] + ++ optional (cfg.accept-echo-request == "internet") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) ++ ["-i retiolum -j Retiolum"] )} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] - ++ { - ip4tables = [ - "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" - ]; - ip6tables = [ - "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" - ]; - }."ip${toString iptables-version}tables" + ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) ++ { ip4tables = [ |