WIP add zones to firewall module
- zones are an attrset of name -> [interface-service] - the firewall will create empty "ifname" sets for each zone name in each address family (ip, ip6) - then watch the interface services, and add the "ifname" outputs to the corresponding sets when they appear This commit only adds the empty sets
This commit is contained in:
@@ -4,12 +4,28 @@
|
||||
, firewallgen
|
||||
, nftables
|
||||
}:
|
||||
{ rules, extraRules }:
|
||||
{ rules, extraRules, zones }:
|
||||
let
|
||||
inherit (liminix.services) oneshot;
|
||||
script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
|
||||
in oneshot {
|
||||
inherit (liminix.services) longrun ; # oneshot;
|
||||
inherit (lib.attrsets) mapAttrs' nameValuePair;
|
||||
mkSet = family : name :
|
||||
nameValuePair
|
||||
"${name}-set-${family}"
|
||||
{
|
||||
kind = "set";
|
||||
inherit name family;
|
||||
type = "ifname";
|
||||
};
|
||||
sets = (mapAttrs' (n : _ : mkSet "ip" n) zones) //
|
||||
(mapAttrs' (n : _ : mkSet "ip6" n) zones);
|
||||
allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);
|
||||
script = firewallgen "firewall1.nft" allRules;
|
||||
|
||||
in longrun {
|
||||
name = "firewall";
|
||||
up = script;
|
||||
down = "${nftables}/bin/nft flush ruleset";
|
||||
run = ''
|
||||
${script}
|
||||
while : ; do sleep 86400 ; done
|
||||
'';
|
||||
finish = "${nftables}/bin/nft flush ruleset";
|
||||
}
|
||||
|
Reference in New Issue
Block a user