From b7f4ca1fbf89e080fa0cd0f290c4f4d16e0039df Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sun, 22 Nov 2020 03:32:58 +0100
Subject: [PATCH] netns: improve the service
---
.../losurdo/networking/openvpn/riseup.nix | 64 +++++++++----------
machines/losurdo/transmission.nix | 6 +-
nixos/modules/services/networking/netns.nix | 6 +-
nixos/modules/services/networking/openvpn.nix | 1 +
4 files changed, 38 insertions(+), 39 deletions(-)
diff --git a/machines/losurdo/networking/openvpn/riseup.nix b/machines/losurdo/networking/openvpn/riseup.nix
index 01f4733..0fe2641 100644
--- a/machines/losurdo/networking/openvpn/riseup.nix
+++ b/machines/losurdo/networking/openvpn/riseup.nix
@@ -9,8 +9,37 @@ networking.nftables.ruleset = ''
add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
'';
systemd.services."openvpn-${ns}" = {
- bindsTo = [ "netns@${ns}.service" ];
- requires = [ "netns@${ns}.service" ];
+ bindsTo = [ "netns-${ns}.service" ];
+ requires = [ "netns-${ns}.service" ];
+};
+services.netns.namespaces.riseup = {
+ nftables = lib.mkBefore ''
+ table inet filter {
+ include "${../../../../var/nftables/filter.txt}"
+ chain input {
+ type filter hook input priority filter
+ policy drop
+ iifname lo accept
+ jump check-tcp
+ ct state { established, related } accept
+ jump accept-connectivity-input
+ jump check-broadcast
+ ct state invalid drop
+ }
+ chain forward {
+ type filter hook forward priority filter
+ policy drop
+ jump accept-connectivity-forward
+ }
+ chain output {
+ type filter hook output priority filter
+ policy drop
+ oifname lo accept
+ ct state { related, established } accept
+ jump accept-connectivity-output
+ }
+ }
+ '';
};
services.openvpn.servers = {
"${ns}" = {
@@ -109,8 +138,6 @@ services.openvpn.servers = {
dev "${dev}"
fi
fi
-
- ${pkgs.writeScript "ruleset" openvpn.servers.${ns}.nftables}
''}
'';
routeUp = ''
@@ -160,35 +187,6 @@ services.openvpn.servers = {
fi
''}
'';
- nftables = lib.mkBefore ''
- #!${pkgs.nftables}/bin/nft -f
- flush ruleset
- table inet filter {
- include "${../../../../var/nftables/filter.txt}"
- chain input {
- type filter hook input priority filter
- policy drop
- iifname lo accept
- jump check-tcp
- ct state { established, related } accept
- jump accept-connectivity-input
- jump check-broadcast
- ct state invalid drop
- }
- chain forward {
- type filter hook forward priority filter
- policy drop
- jump accept-connectivity-forward
- }
- chain output {
- type filter hook output priority filter
- policy drop
- oifname lo accept
- ct state { related, established } accept
- jump accept-connectivity-output
- }
- }
- '';
};
};
}
diff --git a/machines/losurdo/transmission.nix b/machines/losurdo/transmission.nix
index b8a93cb..0175677 100644
--- a/machines/losurdo/transmission.nix
+++ b/machines/losurdo/transmission.nix
@@ -9,7 +9,7 @@ in
users.groups.transmission.members = [
users."julm".name
];
-services.openvpn.servers.${netns}.nftables = ''
+services.netns.namespaces.${netns}.nftables = ''
add rule inet filter input tcp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
add rule inet filter input udp dport ${toString transmission.settings.peer-port} counter accept comment "Transmission"
add rule inet filter output meta skuid ${transmission.user} counter accept comment "Transmission"
@@ -21,11 +21,11 @@ security.gnupg.secrets."transmission/settings.json" = {
systemd.services.transmission = {
after = [
gnupg.secrets."transmission/settings.json".service
- "netns@${netns}.service"
+ "netns-${netns}.service"
];
requires = [
gnupg.secrets."transmission/settings.json".service
- "netns@${netns}.service"
+ "netns-${netns}.service"
];
serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
};
diff --git a/nixos/modules/services/networking/netns.nix b/nixos/modules/services/networking/netns.nix
index 1a67789..a4a238b 100644
--- a/nixos/modules/services/networking/netns.nix
+++ b/nixos/modules/services/networking/netns.nix
@@ -49,12 +49,12 @@ config = {
RemainAfterExit = true;
PrivateNetwork = true;
ExecStart = "${pkgs.iproute}/bin/ip netns add ${escapeShellArg name}";
- ExecStartPost =
- optional (config.networking.nftables.enable) (pkgs.writeShellScript "nftables-ruleset" ''
+ ExecStartPost = optional config.networking.nftables.enable
+ "${pkgs.iproute}/bin/ip netns exec ${escapeShellArg name} ${pkgs.writeScript "nftables-ruleset" ''
#!${pkgs.nftables}/bin/nft -f
flush ruleset
${c.nftables}
- '');
+ ''}";
ExecStop = "${pkgs.iproute}/bin/ip netns del ${escapeShellArg name}";
};
}
diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix
index 8b9cdd7..84cac8a 100644
--- a/nixos/modules/services/networking/openvpn.nix
+++ b/nixos/modules/services/networking/openvpn.nix
@@ -167,6 +167,7 @@ in
default = "";
type = types.lines;
description = ''
+ Nftables rules
'';
};
--
2.47.2