From 3bb82c2ac68fbb4ef04b0a350c1a072b019970cc Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Sun, 21 May 2023 17:14:39 +0200
Subject: config: networking: firewall: use flowtables

---
 config/networking/services/firewall/default.nix | 42 ++++++++++++++++++-------
 1 file changed, 31 insertions(+), 11 deletions(-)

(limited to 'config/networking/services/firewall/default.nix')

diff --git a/config/networking/services/firewall/default.nix b/config/networking/services/firewall/default.nix
index 878e7cc..b76174a 100644
--- a/config/networking/services/firewall/default.nix
+++ b/config/networking/services/firewall/default.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 let
-  # { any } -> (string -> any -> [ string ]) -> string
+  # { any } -> (string -> any -> string) -> string
   mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs);
   bracket = title: content:
     ''
@@ -15,16 +15,36 @@ in {
   networking = {
     nftables = {
       enable = true;
-      ruleset = mapAttrsStrings
-        (import ./ruleset.nix config.personal.networking.networks)
-        (family: tables:
-          mapAttrsStrings tables (tableName: chains:
-            bracket "table ${family} ${tableName}" (mapAttrsStrings chains
-              (chainName: chain:
-                bracket "chain ${chainName}" (lib.optionalString (chain ? base)
-                  (with chain.base; ''
-                    type ${type} hook ${hook} priority ${priority}; policy ${policy};
-                  '') + chain.rules)))));
+      ruleset = mapAttrsStrings (import ./ruleset.nix {
+        inherit lib;
+        nets = config.personal.networking.networks;
+      }) (family: tables:
+        mapAttrsStrings tables (tableName:
+          { flowtables, chains, ... }:
+          bracket "table ${family} ${tableName}" (
+            mapAttrsStrings flowtables
+              (flowtableName: flowtable:
+                bracket "flowtable ${flowtableName}" (with flowtable;
+                  ''
+                    hook ${hook} priority ${priority}; devices = { ${
+                      lib.concatStringsSep ", " devices
+                    } };
+                  '' + lib.optionalString offload ''
+                    flags offload;
+                  ''
+                )
+              )
+            + mapAttrsStrings chains (chainName: chain:
+                  bracket "chain ${chainName}" (
+                    lib.optionalString (chain ? base) (with chain.base; ''
+                      type ${type} hook ${hook} priority ${priority}; policy ${policy};
+                    '')
+                    + chain.rules
+                  )
+            )
+          )
+        )
+      );
     };
     firewall.enable = lib.mkForce false;
   };
-- 
cgit v1.2.3