New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/firewall: per-interface port options #41222
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested this with 2 interfaces myself on a machine, works just fine. It might be a bit troublesome to enable all ports you need manually, but I think that's okay for the people who need this control.
default = mapAttrs (name: value: cfg."${name}") commonOptions; | ||
}; | ||
type = with types; attrsOf (submodule [ { options = commonOptions; } ]); | ||
description = "Per interface options. Override action of global options."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll suggest a different wording though: "Interface-specific open ports. Setting this value will override all values of the networking.firewall.allowed*
options."
Using the same formatting as the other options
default = mapAttrs (name: value: cfg."${name}") commonOptions; | ||
}; | ||
type = with types; attrsOf (submodule [ { options = commonOptions; } ]); | ||
description = "Interface-specific open ports. Setting this value will override all values of the networking.firewall.allowed* options."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant with ''
quotes same as the other options, and the option networking.firewall.allowed*
should be wrapped in at least <literal></literal>
, also 80 chars max line length same as the other options.
Looking at the changes, it shouldn't change any existing configurations, but just to make sure: @GrahamcOfBorg test firewall networking containers-restart-networking |
Success on aarch64-linux (full log) Attempted: tests.firewall, tests.networking The following builds were skipped because they don't evaluate on aarch64-linux: tests.containers-restart-networking Partial log (click to expand)
|
Failure on x86_64-linux (full log) Attempted: tests.firewall, tests.networking The following builds were skipped because they don't evaluate on x86_64-linux: tests.containers-restart-networking Partial log (click to expand)
|
Ran the tests |
@infinisil Thank you! |
Motivation for this change
This adds a way to have different open ports on different interfaces with rules like:
As a side effect it will decline rules set via
networking.firewall.allowed...
and so also rules implicility set by services like sshd, which is fine as user wants direct control.Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)