From 1ec99eb61699b5c41f7fccc066a9cfcd52ca6ab9 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Thu, 23 Jan 2025 22:42:03 +0100
Subject: [PATCH] aubergine: nftables: fix DHCP renewal
---
hosts/aubergine/networking.nix | 12 +++++++++++-
hosts/aubergine/networking/nftables.nix | 2 --
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 51cde16..30dd947 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
with (import networking/names-and-numbers.nix);
{
imports = [
@@ -18,6 +18,16 @@ with (import networking/names-and-numbers.nix);
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.ruleset = lib.mkAfter ''
table inet filter {
+ chain input-lan {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+ meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
+ }
+ chain output-lan {
+ meta skuid ${config.users.users."systemd-network".name} \
+ meta l4proto { udp, tcp } th sport bootps \
+ meta l4proto { udp, tcp } th dport bootpc \
+ counter accept comment "DHCP rebinding/renewing"
+ }
chain forward-to-lan {
#jump forward-connectivity
counter accept
diff --git a/hosts/aubergine/networking/nftables.nix b/hosts/aubergine/networking/nftables.nix
index f3c0601..7b3bcd8 100644
--- a/hosts/aubergine/networking/nftables.nix
+++ b/hosts/aubergine/networking/nftables.nix
@@ -13,8 +13,6 @@ in
ruleset = ''
table inet filter {
chain input-lan {
- meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
- meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
tcp dport ssh counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
tcp dport 5201 counter accept comment "iperf"
--
2.47.2