summaryrefslogtreecommitdiffstats
path: root/tv/3modules
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-06-30 00:52:35 +0200
committertv <tv@krebsco.de>2016-06-30 01:08:01 +0200
commit10ff37466663cfac5067d9df275182840a21a9e7 (patch)
tree6c2303b759022b1c9dbf50028432e5316b3a24f5 /tv/3modules
parent9651d853d83468d39d1476eebc8ab6a61d69c4a0 (diff)
tv iptables: add input-*-accept-udp
Diffstat (limited to 'tv/3modules')
-rw-r--r--tv/3modules/iptables.nix24
1 files changed, 18 insertions, 6 deletions
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index c0e71f2..4b1d1ef 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -17,12 +17,22 @@ let
default = "retiolum";
};
- input-internet-accept-new-tcp = mkOption {
+ input-internet-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
- input-retiolum-accept-new-tcp = mkOption {
+ input-internet-accept-udp = mkOption {
+ type = with types; listOf (either int str);
+ default = [];
+ };
+
+ input-retiolum-accept-tcp = mkOption {
+ type = with types; listOf (either int str);
+ default = [];
+ };
+
+ input-retiolum-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
@@ -83,8 +93,8 @@ let
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
}."ip${toString iptables-version}tables";
- accept-new-tcp = port:
- "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+ accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
+ accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
in
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
@@ -112,13 +122,15 @@ let
"-i lo -j ACCEPT"
]
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
- ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
+ ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
+ ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
++ ["-i retiolum -j Retiolum"]
)}
${formatTable cfg.extra.filter}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
- ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
+ ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
+ ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"