aubergine: nftables: fix DHCP renewal

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 51cde16cbb9d7c9f504979a33a05c27a224747e2..30dd947f168406c1e26496e5f0da2c9dff1e71c0 100644 (file)
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 with (import networking/names-and-numbers.nix);
 {
   imports = [
@@ -18,6 +18,16 @@ with (import networking/names-and-numbers.nix);
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   networking.nftables.ruleset = lib.mkAfter ''
     table inet filter {
+      chain input-lan {
+        meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+        meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
+      }
+      chain output-lan {
+        meta skuid ${config.users.users."systemd-network".name} \
+          meta l4proto { udp, tcp } th sport bootps \
+          meta l4proto { udp, tcp } th dport bootpc \
+          counter accept comment "DHCP rebinding/renewing"
+      }
       chain forward-to-lan {
         #jump forward-connectivity
         counter accept

diff --git a/hosts/aubergine/networking/nftables.nix b/hosts/aubergine/networking/nftables.nix
index f3c0601efaf12dfabb517cbbe69cc4845de4a951..7b3bcd83ecddbe7d3f4a24ffaef0f854565c8154 100644 (file)
--- a/hosts/aubergine/networking/nftables.nix
+++ b/hosts/aubergine/networking/nftables.nix
@@ -13,8 +13,6 @@ in
     ruleset = ''
       table inet filter {
         chain input-lan {
-          meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
-          meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
           tcp dport ssh counter accept comment "SSH"
           udp dport 60000-61000 counter accept comment "Mosh"
           tcp dport 5201 counter accept comment "iperf"