greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netns: simplify firewall setup

Browse Source
This commit is contained in:
Erik Arvstedt 2020-10-29 21:20:41 +01:00
parent 25639cec42
commit b4b607dfa5
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
modules/netns-isolation.nix
View File

@ -141,6 +141,7 @@ in {
inherit (v) netnsName; inherit (v) netnsName;
ipNetns = "${ip} -n ${netnsName}"; ipNetns = "${ip} -n ${netnsName}";
netnsIptables = "${ip} netns exec ${netnsName} ${config.networking.firewall.package}/bin/iptables"; netnsIptables = "${ip} netns exec ${netnsName} ${config.networking.firewall.package}/bin/iptables";
allowedAddresses = concatMapStringsSep "," (available: netns.${available}.address) v.availableNetns;
in { in {
"${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}"; "${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}";
@ -165,15 +166,13 @@ in {
${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT ${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
# allow return traffic to outgoing connections initiated by the service itself # allow return traffic to outgoing connections initiated by the service itself
${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT ${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
'' + (optionalString (config.services.${n}.enforceTor or false)) '' '' + optionalString (config.services.${n}.enforceTor or false) ''
${netnsIptables} -w -P OUTPUT DROP ${netnsIptables} -w -P OUTPUT DROP
${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT ${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
'' + concatMapStrings (otherNetns: let '' + optionalString (v.availableNetns != []) ''
other = netns.${otherNetns}; ${netnsIptables} -w -A INPUT -s ${allowedAddresses} -j ACCEPT
in '' ${netnsIptables} -w -A OUTPUT -d ${allowedAddresses} -j ACCEPT
${netnsIptables} -w -A INPUT -s ${other.address} -j ACCEPT '';
${netnsIptables} -w -A OUTPUT -d ${other.address} -j ACCEPT
'') v.availableNetns;
preStop = '' preStop = ''
${ip} netns delete ${netnsName} ${ip} netns delete ${netnsName}
''; '';