WIP add zones to firewall module

- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets
This commit is contained in:
Daniel Barlow
2025-02-06 11:57:06 +00:00
parent 1d780de0f1
commit 6587813577
5 changed files with 40 additions and 22 deletions

View File

@@ -4,12 +4,28 @@
, firewallgen
, nftables
}:
{ rules, extraRules }:
{ rules, extraRules, zones }:
let
inherit (liminix.services) oneshot;
script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
in oneshot {
inherit (liminix.services) longrun ; # oneshot;
inherit (lib.attrsets) mapAttrs' nameValuePair;
mkSet = family : name :
nameValuePair
"${name}-set-${family}"
{
kind = "set";
inherit name family;
type = "ifname";
};
sets = (mapAttrs' (n : _ : mkSet "ip" n) zones) //
(mapAttrs' (n : _ : mkSet "ip6" n) zones);
allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);
script = firewallgen "firewall1.nft" allRules;
in longrun {
name = "firewall";
up = script;
down = "${nftables}/bin/nft flush ruleset";
run = ''
${script}
while : ; do sleep 86400 ; done
'';
finish = "${nftables}/bin/nft flush ruleset";
}