Add modules/firewall to allow bgp on ifaces
This commit is contained in:
parent
db03284752
commit
d0d92b9100
|
@ -48,7 +48,6 @@ pkgs.nixosTest rec {
|
|||
prefixLength = 64;
|
||||
} ];
|
||||
};
|
||||
networking.firewall.enable = false;
|
||||
};
|
||||
bar = {
|
||||
imports = [ ../modules ];
|
||||
|
@ -94,7 +93,6 @@ pkgs.nixosTest rec {
|
|||
prefixLength = 64;
|
||||
} ];
|
||||
};
|
||||
networking.firewall.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -3,6 +3,10 @@ let
|
|||
cfg = config.networking.dn42;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./firewall.nix
|
||||
];
|
||||
|
||||
options.networking.dn42 = {
|
||||
enable = lib.mkEnableOption "Whether to enable dn42 integration.";
|
||||
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
enable = config.networking.dn42.enable && config.networking.firewall.enable;
|
||||
|
||||
in
|
||||
{
|
||||
# Allow BGP on peering interfaces
|
||||
# TODO: these should actually only additionally filter for peer's
|
||||
# addresses, but there is no NixOS option for that.
|
||||
networking.firewall.interfaces = lib.mkIf enable (
|
||||
builtins.listToAttrs (
|
||||
map (interface: {
|
||||
name = interface;
|
||||
value.allowedTCPPorts = [
|
||||
# BGP
|
||||
179
|
||||
];
|
||||
}) (
|
||||
map ({ interface, ... }: interface) (
|
||||
builtins.attrValues config.networking.dn42.peers
|
||||
)
|
||||
)
|
||||
)
|
||||
);
|
||||
}
|
Loading…
Reference in New Issue