blob: 1054a390907eecdbddac9c49ee557cf783f04cb9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
{
config,
lib,
...
}: let
# { any } -> (string -> any -> string) -> string
mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs);
bracket = title: content:
''
${title} {
''
+ content
+ ''
}
'';
in {
boot.kernel.sysctl = {"net.ipv4.conf.all.forwarding" = true;};
networking = {
nftables = {
enable = true;
checkRuleset = false;
ruleset =
mapAttrsStrings (import ./ruleset.nix {
inherit lib;
inherit (config.personal.networking) interfaces;
}) (
family: tables:
mapAttrsStrings tables (
tableName: {
flowtables,
chains,
...
}:
bracket "table ${family} ${tableName}" (
mapAttrsStrings flowtables
(
flowtableName: flowtable:
bracket "flowtable ${flowtableName}" (
with flowtable;
''
hook ${hook} priority ${priority}; devices = { ${
lib.concatStringsSep ", " devices
} };
''
+ lib.optionalString offload ''
flags offload;
''
)
)
+ mapAttrsStrings chains (
chainName: chain:
bracket "chain ${chainName}" (
lib.optionalString (chain ? base) (with chain.base; ''
type ${type} hook ${hook} priority ${priority}; policy ${policy};
'')
+ chain.rules
)
)
)
)
);
};
firewall.enable = lib.mkForce false;
};
}
|
