{ pkgs, notnft, ... }: { services.ifstate.settings.namespaces.dmz = { interfaces = [ { name = "br-dmz"; link = { kind = "bridge"; state = "up"; }; } { name = "border"; link = { kind = "veth"; peer = "dmz"; peer_netns = "border"; master = "br-dmz"; state = "up"; }; } { name = "hel"; link = { kind = "veth"; peer = "dmz"; peer_netns = "hel"; master = "br-dmz"; state = "up"; }; } ]; }; # block input, output, forward, only bridge networking.notnft.namespaces.dmz.rules = # --- with notnft.dsl; with payload; # --- ruleset { filter = add table {family = f: f.inet;} { input = add chain { type = f: f.filter; hook = f: f.input; prio = -300; policy = f: f.drop; } [(is.eq meta.iifname "lo") accept] [ (log { prefix = "[drop] dmz.input: "; queue-threshold = 1; group = 2; }) drop ]; output = add chain { type = f: f.filter; hook = f: f.output; prio = -300; policy = f: f.drop; } [ (log { prefix = "[drop] dmz.output: "; queue-threshold = 1; group = 2; }) drop ]; forward = add chain { type = f: f.filter; hook = f: f.output; prio = -300; policy = f: f.drop; } [ (log { prefix = "[drop] dmz.foward: "; queue-threshold = 1; group = 2; }) drop ]; }; }; systemd.services.ulogd-dmz = { description = "Ulogd Daemon"; wantedBy = ["multi-user.target"]; wants = ["network-pre.target"]; before = ["network-pre.target"]; after = ["ifstate.service"]; serviceConfig = let settingsFormat = pkgs.formats.ini {listsAsDuplicateKeys = true;}; settingsFile = settingsFormat.generate "ulogd.conf" { # This one for logging to local file in emulated syslog format. global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU"; log2.group = 2; emu1 = { file = "/var/log/nft_dmz_drop.log"; sync = 1; }; }; in { NetworkNamespacePath = "/var/run/netns/dmz"; ExecStart = "${pkgs.ulogd}/bin/ulogd -c ${settingsFile} --verbose --loglevel ${ toString 5 }"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; }