Add modules/firewall to allow bgp on ifaces

2024-03-12 01:15:56 +01:00 · 2024-03-12 01:15:56 +01:00 · d0d92b9100
parent db03284752
commit d0d92b9100
3 changed files with 29 additions and 2 deletions
--- a/checks/two-peers.nix
+++ b/checks/two-peers.nix
@ -48,7 +48,6 @@ pkgs.nixosTest rec {
          prefixLength = 64;
        } ];
      };
-      networking.firewall.enable = false;
    };
    bar = {
      imports = [ ../modules ];
@ -94,7 +93,6 @@ pkgs.nixosTest rec {
          prefixLength = 64;
        } ];
      };
-      networking.firewall.enable = false;
    };
  };

--- a/modules/default.nix
+++ b/modules/default.nix
@ -3,6 +3,10 @@ let
  cfg = config.networking.dn42;
 in
 {
+  imports = [
+    ./firewall.nix
+  ];
+
  options.networking.dn42 = {
    enable = lib.mkEnableOption "Whether to enable dn42 integration.";

--- a/modules/firewall.nix
+++ b/modules/firewall.nix
@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  enable = config.networking.dn42.enable && config.networking.firewall.enable;
+
+in
+{
+  # Allow BGP on peering interfaces
+  # TODO: these should actually only additionally filter for peer's
+  # addresses, but there is no NixOS option for that.
+  networking.firewall.interfaces = lib.mkIf enable (
+    builtins.listToAttrs (
+      map (interface: {
+        name = interface;
+        value.allowedTCPPorts = [
+          # BGP
+          179
+        ];
+      }) (
+        map ({ interface, ... }: interface) (
+          builtins.attrValues config.networking.dn42.peers
+        )
+      )
+    )
+  );
+}