2023-09-28 10:31:25 +02:00
|
|
|
{ pkgs, config, lib, notnft, ... }:
|
|
|
|
let
|
|
|
|
inherit (lib)
|
|
|
|
types
|
|
|
|
mkOption
|
|
|
|
mkDefault
|
|
|
|
mkEnableOption
|
|
|
|
flip
|
|
|
|
concatMapStringsSep
|
|
|
|
optionalAttrs
|
|
|
|
listToAttrs
|
|
|
|
optional
|
2023-10-07 22:48:01 +02:00
|
|
|
filter
|
2024-01-18 13:15:30 +01:00
|
|
|
optionalString
|
|
|
|
;
|
2023-09-28 10:31:25 +02:00
|
|
|
cfg = config.networking.notnft;
|
2024-01-18 13:15:30 +01:00
|
|
|
jsonFormat = pkgs.formats.json {};
|
|
|
|
in {
|
2023-09-28 10:31:25 +02:00
|
|
|
options.networking.notnft = {
|
|
|
|
enable = mkEnableOption "notnft";
|
|
|
|
|
2024-01-18 13:15:30 +01:00
|
|
|
preStart = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
|
|
|
};
|
|
|
|
|
|
|
|
postStart = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
|
|
|
};
|
|
|
|
|
|
|
|
preStop = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
|
|
|
};
|
|
|
|
|
|
|
|
postStop = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
|
|
|
};
|
|
|
|
|
2023-09-28 10:31:25 +02:00
|
|
|
preRules = mkOption {
|
|
|
|
type = types.listOf jsonFormat.type;
|
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
|
|
|
|
rules = mkOption {
|
|
|
|
type = notnft.types.ruleset;
|
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
|
|
|
|
postRules = mkOption {
|
|
|
|
type = types.listOf jsonFormat.type;
|
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
|
|
|
|
json = mkOption {
|
|
|
|
type = jsonFormat.type;
|
|
|
|
readOnly = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
jsonFile = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
readOnly = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
flush = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
chains = {
|
|
|
|
dnsDrop = {
|
|
|
|
enable = mkEnableOption "Add dns-drop chain";
|
|
|
|
|
|
|
|
rule = mkOption {
|
|
|
|
type = notnft.type.rule;
|
|
|
|
readOnly = true;
|
|
|
|
default = with notnft.dsl; with payload;
|
|
|
|
[ jump "dns-drop" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
networking.notnft.rules = with notnft.dsl; with payload; ruleset {
|
|
|
|
filter = add table { family = f: f.inet; }
|
|
|
|
(listToAttrs (filter (x: x != {}) [
|
|
|
|
(optionalAttrs cfg.chains.dnsDrop.enable {
|
|
|
|
name = "dns-drop";
|
|
|
|
value = add chain
|
|
|
|
[ (is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [ tcp udp ])) (is.eq th.dport 53) drop ];
|
|
|
|
})
|
|
|
|
]));
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.notnft.json = builtins.toJSON {
|
|
|
|
nftables = (optional cfg.flush { flush.ruleset = null; }) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules;
|
|
|
|
};
|
|
|
|
networking.notnft.jsonFile = pkgs.writeText "rules.json" cfg.json;
|
|
|
|
|
|
|
|
boot.blacklistedKernelModules = [ "ip_tables" ];
|
|
|
|
environment.systemPackages = [ pkgs.nftables ];
|
2023-09-28 14:42:44 +02:00
|
|
|
# networking.networkmanager.firewallBackend = mkDefault "nftables";
|
2023-09-28 10:31:25 +02:00
|
|
|
systemd.services.notnftables = {
|
|
|
|
description = "notnftables firewall";
|
|
|
|
before = [ "network-pre.target" ];
|
|
|
|
wants = [ "network-pre.target" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
reloadIfChanged = true;
|
|
|
|
serviceConfig = let
|
|
|
|
startScript = pkgs.writeShellScript "start-nft.sh" ''
|
2024-01-18 13:15:30 +01:00
|
|
|
${cfg.preStart}
|
2023-09-28 10:31:25 +02:00
|
|
|
${pkgs.buildPackages.nftables}/bin/nft -j -f ${cfg.jsonFile}
|
2024-01-18 13:15:30 +01:00
|
|
|
${cfg.postStart}
|
|
|
|
'';
|
|
|
|
|
|
|
|
stopScript = pkgs.writeShellScript "stop-nft.sh" ''
|
|
|
|
${cfg.preStop}
|
|
|
|
${optionalString cfg.flush "${pkgs.nftables}/bin/nft flush ruleset"}
|
|
|
|
${cfg.postStop}
|
2023-09-28 10:31:25 +02:00
|
|
|
'';
|
|
|
|
# rulesScript = pkgs.writeTextFile {
|
|
|
|
# name = "nftables-rules";
|
|
|
|
# executable = true;
|
|
|
|
# text = ''
|
|
|
|
# #! ${pkgs.nftables}/bin/nft -f
|
|
|
|
# flush ruleset
|
|
|
|
# ${if cfg.rulesetFile != null then ''
|
|
|
|
# include "${cfg.rulesetFile}"
|
|
|
|
# '' else cfg.ruleset}
|
|
|
|
# '';
|
|
|
|
# checkPhase = lib.optionalString cfg.checkRuleset ''
|
|
|
|
# cp $out ruleset.conf
|
|
|
|
# ${cfg.preCheckRuleset}
|
|
|
|
# export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services
|
|
|
|
# LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \
|
|
|
|
# ${pkgs.buildPackages.nftables}/bin/nft --check -j < ${cfg.jsonFile}
|
|
|
|
# '';
|
|
|
|
# };
|
|
|
|
in {
|
|
|
|
Type = "oneshot";
|
|
|
|
RemainAfterExit = true;
|
|
|
|
ExecStart = startScript;
|
|
|
|
ExecReload = startScript;
|
2024-01-18 13:15:30 +01:00
|
|
|
ExecStop = stopScript;
|
2023-09-28 10:31:25 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|