diff options
Diffstat (limited to 'config/networking/services/firewall/default.nix')
| -rw-r--r-- | config/networking/services/firewall/default.nix | 80 |
1 files changed, 47 insertions, 33 deletions
diff --git a/config/networking/services/firewall/default.nix b/config/networking/services/firewall/default.nix index d7a541f..1054a39 100644 --- a/config/networking/services/firewall/default.nix +++ b/config/networking/services/firewall/default.nix @@ -1,51 +1,65 @@ -{ config, lib, ... }: - -let +{ + config, + lib, + ... +}: let # { any } -> (string -> any -> string) -> string mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs); bracket = title: content: '' ${title} { - '' + content + '' + '' + + content + + '' } ''; in { - boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; + boot.kernel.sysctl = {"net.ipv4.conf.all.forwarding" = true;}; networking = { nftables = { enable = true; checkRuleset = false; - ruleset = mapAttrsStrings (import ./ruleset.nix { - inherit lib; - nets = config.personal.networking.networks; - }) (family: tables: - mapAttrsStrings tables (tableName: - { flowtables, chains, ... }: - bracket "table ${family} ${tableName}" ( - mapAttrsStrings flowtables - (flowtableName: flowtable: - bracket "flowtable ${flowtableName}" (with flowtable; - '' - hook ${hook} priority ${priority}; devices = { ${ - lib.concatStringsSep ", " devices - } }; - '' + lib.optionalString offload '' - flags offload; - '' - ) - ) - + mapAttrsStrings chains (chainName: chain: - bracket "chain ${chainName}" ( - lib.optionalString (chain ? base) (with chain.base; '' - type ${type} hook ${hook} priority ${priority}; policy ${policy}; - '') - + chain.rules + ruleset = + mapAttrsStrings (import ./ruleset.nix { + inherit lib; + inherit (config.personal.networking) interfaces; + }) ( + family: tables: + mapAttrsStrings tables ( + tableName: { + flowtables, + chains, + ... + }: + bracket "table ${family} ${tableName}" ( + mapAttrsStrings flowtables + ( + flowtableName: flowtable: + bracket "flowtable ${flowtableName}" ( + with flowtable; + '' + hook ${hook} priority ${priority}; devices = { ${ + lib.concatStringsSep ", " devices + } }; + '' + + lib.optionalString offload '' + flags offload; + '' + ) ) + + mapAttrsStrings chains ( + chainName: chain: + bracket "chain ${chainName}" ( + lib.optionalString (chain ? base) (with chain.base; '' + type ${type} hook ${hook} priority ${priority}; policy ${policy}; + '') + + chain.rules + ) + ) + ) ) - ) - ) - ); + ); }; firewall.enable = lib.mkForce false; }; |