newedge/liminix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

firewall: update zones with interface names as they appear

Browse Source
This commit is contained in:
Daniel Barlow
2025-02-10 00:42:27 +00:00
parent 4bb081ffcf
commit 7f17125039
2 changed files with 78 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
modules/firewall/service.nix
View File

@@ -3,11 +3,17 @@
, lib
, firewallgen
, nftables
, writeFennel
, anoia
, lualinux
, linotify
}:
{ rules, extraRules, zones }:
let
inherit (liminix.services) longrun ; # oneshot;
inherit (lib.attrsets) mapAttrs' nameValuePair;
inherit (liminix.services) longrun;
inherit (lib.attrsets) mapAttrs' nameValuePair mapAttrsToList;
inherit (lib.strings) concatStringsSep;
inherit (lib.lists) flatten;
mkSet = family : name :
nameValuePair
"${name}-set-${family}"
@@ -20,12 +26,17 @@ let
(mapAttrs' (n : _ : mkSet "ip6" n) zones);
allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);
script = firewallgen "firewall1.nft" allRules;
ifwatch = writeFennel "ifwatch" {
packages = [anoia lualinux linotify];
mainFunction = "run";
} ./ifwatch.fnl ;
watchArg = z : intfs : map (i: "${z}:${i}/.outputs") intfs;
in longrun {
name = "firewall";
run = ''
${script}
while : ; do sleep 86400 ; done
PATH=${nftables}/bin:$PATH
${ifwatch} ${concatStringsSep " " (flatten (mapAttrsToList watchArg zones))}
'';
finish = "${nftables}/bin/nft flush ruleset";
}