From f36c297da30dc1ebd2dd99baab296a23f154462e Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Tue, 22 Sep 2020 16:07:13 +0200
Subject: [PATCH] traceroute: enable for julm and root

---
 machines/losurdo/networking/nftables.nix  | 1 +
 machines/losurdo/networking/wireguard.nix | 4 ++--
 machines/losurdo/users.nix                | 1 +
 machines/mermet/networking/wireguard.nix  | 2 +-
 nixos/defaults.nix                        | 1 +
 5 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/machines/losurdo/networking/nftables.nix b/machines/losurdo/networking/nftables.nix
index 30c748c..5bff10e 100644
--- a/machines/losurdo/networking/nftables.nix
+++ b/machines/losurdo/networking/nftables.nix
@@ -226,6 +226,7 @@ networking.nftables = {
 
         ip protocol icmp counter accept
         ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
+        meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
 
         ${lib.optionalString networking.enableIPv6 ''
         ip6 nexthdr ipv6-icmp jump accept-icmpv6
diff --git a/machines/losurdo/networking/wireguard.nix b/machines/losurdo/networking/wireguard.nix
index d34f030..6d7c69f 100644
--- a/machines/losurdo/networking/wireguard.nix
+++ b/machines/losurdo/networking/wireguard.nix
@@ -21,13 +21,13 @@ networking.nftables.ruleset = ''
   #add rule inet filter fw2net udp sport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
   # Allow peers to initiate connection for ${wg}
   #add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
-  
+
   # Hook ${wg} into relevant chains
   add rule inet filter input  iifname "${wg}" jump intra2fw
   add rule inet filter input  iifname "${wg}" log level warn prefix "intra2fw: " counter drop
   add rule inet filter output oifname "${wg}" jump fw2intra
   add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
-  
+
   # ${wg} firewalling
   add rule inet filter fw2intra counter accept
   add rule inet filter intra2fw ip saddr ${relay.ipv4} counter accept comment "relay"
diff --git a/machines/losurdo/users.nix b/machines/losurdo/users.nix
index 7ae7a46..1c3ab0e 100644
--- a/machines/losurdo/users.nix
+++ b/machines/losurdo/users.nix
@@ -20,6 +20,7 @@ networking.nftables.ruleset = lib.concatMapStringsSep "\n"
   ''tcp dport 5222 counter accept comment "XMPP"''
   ''tcp dport 11371 counter accept comment "HKP"''
   ''tcp dport {9009,9010,9011,9012,9013} counter accept comment "croc"''
+  ''udp dport 33434-33523 counter accept comment "traceroute"''
   #''ip protocol tcp counter accept comment "all"''
 ];
 
diff --git a/machines/mermet/networking/wireguard.nix b/machines/mermet/networking/wireguard.nix
index 00cbeb2..9246b8a 100644
--- a/machines/mermet/networking/wireguard.nix
+++ b/machines/mermet/networking/wireguard.nix
@@ -16,7 +16,7 @@ systemd.services."wireguard-${wg}" = {
 networking.nftables.ruleset = ''
   # Allow peers to initiate connection for ${wg}
   add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
-  
+
   # Hook ${wg} into relevant chains
   add rule inet filter input  iifname "${wg}" jump intra2fw
   add rule inet filter input  iifname "${wg}" log level warn prefix "intra2fw: " counter drop
diff --git a/nixos/defaults.nix b/nixos/defaults.nix
index 95ff821..00c90e5 100644
--- a/nixos/defaults.nix
+++ b/nixos/defaults.nix
@@ -179,5 +179,6 @@ programs = {
   };
   mosh.enable = true;
   mtr.enable = true;
+  traceroute.enable = true;
 };
 }
-- 
2.47.2